Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

Published byJudith Carr Modified over 8 years ago

Similar presentations

Presentation on theme: "Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike."— Presentation transcript:

1 Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike Hsiao 20081107 University of Michigan, Arbor Network

2 2 Outline Introduction Anti-Virus Clustering of Malware Behavior-Based Malware Clustering Evaluation Related Work Conclusion

3 3 Introduction Current different anti-virus products characterize malware in ways that are inconsistent across anti-virus products, incomplete across malware, and fall to be concise in there semantics. The authors propose a new classification technique that describes malware behavior in terms of system state changes. Automated Classification and Analysis of Internet Malware

4 4 Introduction (cont’d) Spam, phishing, denial of service attacks, botnets, and worms largely depend on some form of malicious code, commonly referred to as malware. – Exploiting software vulnerability – Tricking users into running malicious code

5 5 Introduction (challenges) Agobot (name of a malware) has been observed to have more than 580 variants. – Agobot variants have the ability to perform DoS attacks, steal bank passwords and account, propagate over the network using a diverse set of remote exploits, use polymorphism and disassembly, and even patch vulnerabilities and remove competing malware. A recent Microsoft survey found more than 43,000 new variants of backdoor trojans and bots during the first half of 2006. multi-vector

6 6 Introduction The authors developed a dynamic analysis approach, based on the execution of malware and the casual tracing of the OS objects created due to malware execution. The reduced collection of these user-visible system state changes is used to create a fingerprint of the malware’s behavior. – These fingerprints are more invariant and useful than abstract code sequence (representing program behaviors)

7 7 Introduction These can be directly used in assessing the potential damage incurred, enabling detection and classification of new threats, and assisting in the risk assessment of these threats in mitigation and clean up. The author provide a method for automatically categorizing these malware profiles into groups that reflect similar classes of behaviors.

8 8 Outline Introduction Anti-Virus Clustering of Malware Behavior-Based Malware Clustering Evaluation Related Work Conclusion

9 9 Understanding Anti-Virus Malware Labeling In order to accurately characterize the ability of AV to provide meaningful labels for malware, … Note: AV systems rarely use the exact same labels for a threat, and users of these systems have come to expect simple naming differences across vendors. e.g, WORM_MSBLAST.A

10 10 A pool of malware classified by AVs as SDBot families The classification of SDBot is ambiguous.

11 11 Properties of a Labeling System Consistency – Identical items must and similar items should be assigned the same label. Completeness – A label should be generated for as many items as possible. Conciseness – The labels should be sufficient in number to reflect the unique properties of interest, while avoiding superfluous labels.

12 12 Outline Introduction Anti-Virus Clustering of Malware Behavior-Based Malware Clustering Evaluation Related Work Conclusion

13 13 Defining and Generating Malware Behaviors Individual system calls may be at a level that is too low for abstracting semantically meaningful information – a higher abstraction level is needed to effectively describe the behavior of malware. The authors define the behavior of malware in terms of non-transient state changes that the malware causes on the system. – spawned process, modified registry keys, modified files, network connection attempts.

14 14 Clustering of Malware Ten unique malware samples - P: number of process - F: file - R: registry - N: network Our approach to generating meaningful labels is achieved through clustering of the behavioral fingerprints.

15 15 Comparing Individual Malware Behaviors - NCD Intuitively, Normalized Compression Distance (NCD) represents the overlap in information between two samples. C(x) is the zlib- compressed length of x.

16 16 Constructing Relationships Between Malware distance

17 17 Extracting Meaningful Groups distance c1 c2 c3 c4 Clusters are constructed from the tree by first calculating the inconsistency coefficient of each cluster, and then thresholding based on the coefficient.

18 18 Outline Introduction Anti-Virus Clustering of Malware Behavior-Based Malware Clustering Evaluation Related Work Conclusion

19 19 Comparing AV Groupings and Behavioral Clustering The propose method created 403 cluster from 3,698 individual malware. – http://www.eecs.umich.edu/~mibailey/malware/ http://www.eecs.umich.edu/~mibailey/malware/ The authors expect that a behavior-based approach would separate out these more general classes if their behavior differs, and aggregate across the more specific classes if behaviors are shared.

20 20 Comparing AV Groupings and Behavioral Clustering (example) Symantec, who adopts a more general approach, has two binaries identified as “back-door.sdbot”. They were divided into separate clusters in our evaluation based on – differing processes created, – differing back-door ports, – differing methods of process invocation or reboot, – and the presence of AV avoidance in one of the samples.

21 21 Comparing AV Groupings and Behavioral Clustering (example) FProt, which has a high propensity to label each malware sample individually, – had 47 samples that were identified as belonging to the sdbot family. FProt provided 46 unique labels for these samples, nearly one unique label per sample. In our clustering, these 46 unique labels were collapsed into 15 unique clusters reflecting their overlap in behaviors.

22 22 Measuring the Completeness, Conciseness and Consistency No such behavior - P: number of process - F: file - R: registry - N: network In the large sample, roughly 2,200 binaries shared exactly identical behavior with another sample. When grouped, these 2,200 binaries created 267 groups in which each sample in the group had exactly the same behavior.

23 23 Application of Clustering and Behavior Signatures (1/2) Classifying Emerging Threats – For example, cluster c156 consists of three malware samples that exhibit malicious bot-related behavior, including IRC command and control activities. – Each of the 75 behaviors observed in the cluster is shared with other samples of the group—96.92% on average, meaning the malware samples within the cluster have almost identical behavior. – It is clear that our behavioral classification would assist in identifying these samples as emerging threats through their extensive malicious behavioral profile.

24 24 Application of Clustering and Behavior Signatures (2/2) Resisting Binary Polymorphism Examining the Malware Behaviors

25 25 Outline Introduction Anti-Virus Clustering of Malware Behavior-Based Malware Clustering Evaluation Related Work Conclusion

26 26 Related Work Content-based signatures – insufficient to cope with emerging threats due to intentional evasion Lower-layer behavioral profiles – individual system calls, instruction-based code templates, shellcode, network connection and session behavior – do not provide semantic value in explaining behaviors exhibited by a malware variant or family Ellis – similar data being sent from one to the next

27 27 Outline Introduction Anti-Virus Clustering of Malware Behavior-Based Malware Clustering Evaluation Related Work Conclusion

28 28 Conclusion They showed that AV systems are incomplete in that they fail to detect or provide labels. – not consistent – vary widely in their conciseness Create a behavioral fingerprint of the malware’s activity – the state changes that are a causal result of the infection.

29 29 Comments Host-based observation – v.s. network observation Classify collected malware – v.s. detect malicious behavior Closely to understand what are happening while these malware are executed. – v.s. the revealed behaviors that reflect the abnormalities of compromised service

Download ppt "Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Scalable, Behavior-Based Malware Clustering Ulrich Bayer,Paolo Milani Comparetti,Clemens Hlauschek,Christopher Kruegel, and Engin Kirda Technical University.

Scalable, Behavior-Based Malware Clustering Ulrich Bayer,Paolo Milani Comparetti,Clemens Hlauschek,Christopher Kruegel, and Engin Kirda Technical University.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Automatically Generating Models for Botnet Detection Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda Vienna University.

Automatically Generating Models for Botnet Detection Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda Vienna University.
Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications.

Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications.
CISC 879 - Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.

Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.

Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
BotNet Detection Techniques By Shreyas Sali

BotNet Detection Techniques By Shreyas Sali
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영 2015. 04. 21.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Similar presentations

Ads by Google