a semantics based approach to malware detection
play

A Semantics-based Approach to Malware Detection Mila Dalla Preda - PowerPoint PPT Presentation

Jan 16, 2024 •290 likes •828 views

A Semantics-based Approach to Malware Detection Mila Dalla Preda University of Verona, Italy Mihai Christodorescu, Somesh Jha University of Wisconsin, USA Saumya Debray University of Arizona, USA 17-19 Jan, POPL 07, Nice A

  1. A Semantics-based Approach to Malware Detection Mila Dalla Preda – University of Verona, Italy Mihai Christodorescu, Somesh Jha – University of Wisconsin, USA Saumya Debray – University of Arizona, USA 17-19 Jan, POPL ’07, Nice A Semantics-based Approach to Malware Detection – p.1

  2. A Few Basic Definitions Malware represents malicious software. Malware detector is a program D that determines whether another program P is infected with a malware M . � True if D determines that P is infected with M D ( P, M ) = False otherwise A Semantics-based Approach to Malware Detection – p.2

  3. A Few Basic Definitions Malware represents malicious software. Malware detector is a program D that determines whether another program P is infected with a malware M . � True if D determines that P is infected with M D ( P, M ) = False otherwise An ideal malware detector detects all and only the programs infected with M , i.e., it is sound and complete. Sound = no false positives (no false alarms) Complete = no false negatives (no missed alarms) A Semantics-based Approach to Malware Detection – p.2

  4. Malware Trends There is more malware every year. New Malware 10992 445 2002 2003 2004 2005 A Semantics-based Approach to Malware Detection – p.3

  5. Malware Trends There is more malware every year. New Malware 10992 New Malware Families 445 141 101 2002 2003 2004 2005 But the number of malware families has almost no variation. Beagle family has 197 variants (as of Nov. 30). Warezov family has 218 variants (as on Nov. 27). A Semantics-based Approach to Malware Detection – p.3

  6. The Malware Threat Current detectors are signature-based: P matches byte-signature sig P is infected ⇒ Signature-based detectors, when sound, are not complete. Malware writers use obfuscation to evade current detectors. A Semantics-based Approach to Malware Detection – p.4

  7. The Malware Threat Current detectors are signature-based: P matches byte-signature sig P is infected ⇒ Signature-based detectors, when sound, are not complete. Malware writers use obfuscation to evade current detectors. Virus–antivirus “coevolution” 1. Malware writers create new, undetected malware. 2. Antimalware tools are updated to catch the new malware. 3. Repeat... A Semantics-based Approach to Malware Detection – p.4

  8. Common Obfuscations Nop insertion Register renaming Junk insertion Code reordering Encryption Reordering of independent statements Reversing of branch conditions Equivalent instruction substitution Opaque predicate insertion ... and many others... A Semantics-based Approach to Malware Detection – p.5

  9. Common Obfuscations Nop insertion Register renaming Junk insertion Code reordering Encryption Reordering of independent statements Reversing of branch conditions Equivalent instruction substitution Opaque predicate insertion ... and many others... A Semantics-based Approach to Malware Detection – p.5

  10. Obfuscation Example (Pseudo-)Code: mov eax, [edx+0Ch] push ebx push [eax] call ReleaseLock A Semantics-based Approach to Malware Detection – p.6

  11. Obfuscation Example (Pseudo-)Code: Obfuscated code (junk): mov eax, [edx+0Ch] mov eax, [edx+0Ch] push ebx inc eax push [eax] push ebx call ReleaseLock dec eax push [eax] call ReleaseLock A Semantics-based Approach to Malware Detection – p.6

  12. Obfuscation Example (Pseudo-)Code: Obfuscated code (junk + reordering): mov eax, [edx+0Ch] mov eax, [edx+0Ch] jmp +3 push ebx push [eax] push ebx call ReleaseLock dec eax jmp +4 inc eax jmp -3 call ReleaseLock jmp +2 push [eax] jmp -2 A Semantics-based Approach to Malware Detection – p.6

  13. Solutions? Recent developments based on deep static analysis: Detecting Malicious Code by Model Checking [Kinder et al. 2005] Semantics-Aware Malware Detection [Christodorescu et al. 2005] Behavior-based Spyware Detection [Kirda et al. 2006] A Semantics-based Approach to Malware Detection – p.7

  14. Solutions? Recent developments based on deep static analysis: Detecting Malicious Code by Model Checking [Kinder et al. 2005] Semantics-Aware Malware Detection [Christodorescu et al. 2005] Behavior-based Spyware Detection [Kirda et al. 2006] Lack of a formal framework for assessing these techniques. A Semantics-based Approach to Malware Detection – p.7

  15. Our Contributions Challenges: Many different obfuscations Obfuscations are usually combined Detection schemes usually rely on static/dynamic analyses A Semantics-based Approach to Malware Detection – p.8

  16. Our Contributions Challenges: Many different obfuscations Obfuscations are usually combined Detection schemes usually rely on static/dynamic analyses A framework for assessing the resilience to obfuscation of malware detectors. Obfuscation as transformation of trace semantics Malware detection as abstract interpretation of trace semantics Composing obfuscations vs. composing detectors A Semantics-based Approach to Malware Detection – p.8

  17. Two Worlds of Malware Detectors Malware detector on finite semantic structure Disassembler CFG construction Other analyses A Semantics-based Approach to Malware Detection – p.9

  18. Two Worlds of Malware Detectors Malware detector Malware detector on finite semantic structure on trace semantics Disassembler CFG construction Other analyses A Semantics-based Approach to Malware Detection – p.9

  19. Two Worlds of Malware Detectors Malware detector Malware detector on finite semantic structure on trace semantics Disassembler CFG construction Other analyses A Semantics-based Approach to Malware Detection – p.9

  20. Abstract Interpretation Design approximate semantics of programs [Cousot & Cousot ’77, ’79]. ⊤ ⊤ γ γ ( α ( c )) α ( c ) α c ⊥ ⊥ A C Galois Connection: � C, α, γ, A � , A and C are complete lattices. � Abs ( C ) , ⊑� set of all possible abstract domains, A 1 ⊑ A 2 if A 1 is more concrete than A 2 A Semantics-based Approach to Malware Detection – p.10

  21. Outline Semantic Malware Detector Soundness and Completeness Classifying Obfuscations Composing Obfuscations Proving Soundness and Completeness A Semantics-based Approach to Malware Detection – p.11

  22. Semantic Malware Detector A program P is infected by malware M , denoted M ֒ → P if (a part) of P execution is similar to that of M : A Semantics-based Approach to Malware Detection – p.12

  23. Semantic Malware Detector A program P is infected by malware M , denoted M ֒ → P if (a part) of P execution is similar to that of M : ∃ restriction r : S [ ] ) ⊆ α r ( S [ [ M ] [ P ] ] ) A Semantics-based Approach to Malware Detection – p.12

  24. Semantic Malware Detector A program P is infected by malware M , denoted M ֒ → P if (a part) of P execution is similar to that of M : ∃ restriction r : S [ ] ⊆ α r ( S [ [ M ] [ P ] ]) α r program trace malware trace A Semantics-based Approach to Malware Detection – p.12

  25. Semantic Malware Detector A program P is infected by malware M , denoted M ֒ → P if (a part) of P execution is similar to that of M : ∃ restriction r : S [ ] ⊆ α r ( S [ [ M ] [ P ] ]) α r program trace malware trace Vanilla Malware i.e. not obfuscated malware A Semantics-based Approach to Malware Detection – p.12

  26. Obfuscated Malware O : P → P obfuscating transformation α : Sem → A abstraction that discards the details changed by the obfuscation while preserving maliciousness ∃ restriction r : α ( S [ [ M ] ]) ⊆ α ( α r ( S [ [ P ] ])) A Semantics-based Approach to Malware Detection – p.13

  27. Obfuscated Malware O : P → P obfuscating transformation α : Sem → A abstraction that discards the details changed by the obfuscation while preserving maliciousness ∃ restriction r : α ( S [ [ M ] ]) ⊆ α ( α r ( S [ [ P ] ])) obfuscated malware trace α α r program trace malware trace α A Semantics-based Approach to Malware Detection – p.13

  28. Sound vs. Complete Precision of the Semantic Malware Detector (SMD) depends on α A Semantics-based Approach to Malware Detection – p.14

  29. Sound vs. Complete Precision of the Semantic Malware Detector (SMD) depends on α A SMD on α is complete w.r.t. a set O of transformations if ∀O ∈ O : � ∃ restriction r : O ( M ) ֒ → P ⇒ α ( S [ [ M ] ]) ⊆ α ( α r ( S [ [ P ] ])) always detects programs that are infected (no false negatives) A Semantics-based Approach to Malware Detection – p.14

  30. Sound vs. Complete Precision of the Semantic Malware Detector (SMD) depends on α A SMD on α is complete w.r.t. a set O of transformations if ∀O ∈ O : � ∃ restriction r : O ( M ) ֒ → P ⇒ α ( S [ [ M ] ]) ⊆ α ( α r ( S [ [ P ] ])) always detects programs that are infected (no false negatives) If α is preserved by O then the SMD on α is complete w.r.t. O . A Semantics-based Approach to Malware Detection – p.14

  31. Sound vs. Complete Precision of the Semantic Malware Detector (SMD) depends on α A SMD on α is sound w.r.t. a set O of transformations if: � ∃ restriction r : ⇒ ∃O ∈ O : O ( M ) ֒ → P α ( S [ [ M ] ]) ⊆ α ( α r ( S [ [ P ] ])) never erroneously claims a program is infected (no false positives) A Semantics-based Approach to Malware Detection – p.14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Semantic Trace-based Malware Variants Detection Khalid Alzarooni CREST - DCS - UCL April 6,

Semantic Trace-based Malware Variants Detection Khalid Alzarooni CREST - DCS - UCL April 6,

Overview Trace-based approach Experiments Semantic Trace-based Malware Variants Detection Khalid Alzarooni CREST - DCS - UCL April 6, 2011 Overview Trace-based approach Experiments Outline Overview Trace-based approach Experiments

688 views • 31 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert Brandon 1 November 2017 2 Malware Detection? Dont AVs do that? Single incidents of malware are now causing millions in damages. Potential

347 views • 19 slides
D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command & Control Automotive Consumer Energy & Chemicals Paul Rascagneres - @r00tbsd Eric Leblond - @Regiteric D&D of malware with exotic C&C

781 views • 34 slides
Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H.

Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H.

Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H. Andrs Lagar-Cavilla #, Alexander Varshavsky #, Vinod Ganapathy *, and Liviu Iftode * * Rutgers University # AT&T Labs Research Smart Phone

709 views • 28 slides
Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr. Patrick McDaniel Berkay Celik Fall 2015 Introduction Motivation Related Work Data Approach Experimental Results Comparison

391 views • 25 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of

1.04k views • 52 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales Shouhuai Xu Ravi Sandhu SEI @ CMU CS @ UTSA ICS @ UTSA Roadmap Motivation Experimental Methodology Experimental Results Summary

560 views • 16 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng,

Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng,

Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng, Feng Li, Xukai Zou, and Jie Wu 1 / 47 Proximity malware Definition. Proximity malware is a malicious program which propagates

618 views • 47 slides
Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris Andrianakis, Kun Sun, and Angelos Stavrou Intro Increase of stealthy malware in enterprises Obfuscation, polymorphic techniques Often uses

766 views • 25 slides
Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

418 views • 19 slides
Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%)

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%)

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%) 80% of new malware are packed with various packers Malware Obfuscation Techniques: Packing 2 Malware and packing Not packed (20%) 80%

985 views • 51 slides
Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at

Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at

Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at this: } https://www.corelan.be/index.php/articles/ } Check out the Exploit Writing Tutorials } Starting Szor, Chapter 2. } Check out the Virus

1.34k views • 46 slides
Abstract Data Types Data types I We type data--classify it into various categories--such as

Abstract Data Types Data types I We type data--classify it into various categories--such as

Abstract Data Types Data types I We type data--classify it into various categories--such as int , boolean , String , Applet A data type represents a set of possible values, such as { ... , -2 , -1 , 0 , 1 , 2 , ... }, or { true , false }

991 views • 58 slides
Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd Paul Rascagnres from Malware.lu Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet

425 views • 31 slides
Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad

Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad

Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad Spensky 3 , Stephanie Forrest 2 , Westley Weimer 1 1 University of Michigan 2 Arizona State University 3 University of California, Santa Babara May 23,

357 views • 6 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead @ VMRay M. Sc. IT-Security Released first preview version of macOS sandbox in March @c1truz_ 2 Structure of this Talk => => Why?

706 views • 36 slides

More recommend