accessminer using system centric models for malware
play

AccessMiner: Using System-Centric Models for Malware Protection - PowerPoint PPT Presentation

Jan 15, 2023 •107 likes •545 views

AccessMiner: Using System-Centric Models for Malware Protection Andrea Lanzi 1 Davide Balzarotti 1 Christopher Kruegel 2 Mihai Christodorescu 3 Engin Kirda 1 1 Institute Eurecom 2 UC Santa Barbara 3 IBM T.J. Watson Research 17th ACM Conference on

  1. AccessMiner: Using System-Centric Models for Malware Protection Andrea Lanzi 1 Davide Balzarotti 1 Christopher Kruegel 2 Mihai Christodorescu 3 Engin Kirda 1 1 Institute Eurecom 2 UC Santa Barbara 3 IBM T.J. Watson Research 17th ACM Conference on Computer and Communications Security (CCS 2010)

  2. System-call based detector Most popular way to characterize the behavior of programs is based on the analysis of the system calls or Win32 API functions. Different models have been proposed: Sequences of system calls. (Mukkalama 2004, Kang 2005) System call patterns based on data flow dependencies. (Martignoni 2008, Kolbitsch 2009) System call and argument. (Kirda 2006) System-Call based real-time detector A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 2

  3. Our research motivations Most of these detectors follow the program-centric approach and they lack context that captures how benign programs in general interact with OS. The evaluation of the false positives for these models are very poor : the programs are exercised in a limited fashion. they are often using synthetic inputs. experiments are performed on a single machine. A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 3

  4. Our research motivations Most of these detectors follow the program-centric approach Program-centric models fail to capture program behavior at a and they lack context that captures how benign programs in higher level of abstraction!!! general interact with OS. The evaluation of the false positives for these models are very poor : the programs are exercised in a limited fashion. they are often using synthetic inputs. experiments are performed on a single machine. A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 3

  5. Our research motivations Most of these detectors follow the program-centric approach Program-centric models fail to capture program behavior at a and they lack context that captures how benign programs in higher level of abstraction!!! general interact with OS. The evaluation of the false positives for these models are very poor : the programs are exercised in a limited fashion. Poor evaluation of False positives!!! they are often using synthetic inputs. experiments are performed on a single machine. A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 3

  6. Contribution (1): building a “good” benign data collection A large scale of malware data collection is available from different systems collector. (e.g Anubis, Malfease etc.) Collecting a large scale of “real” benign data collection is a challenge : We need to convince people that their private data are protected (privacy issue). We need to collect benign data from a different sources : home machine, lab machine, developing machine etc. (data diversity). The logger should not have any bad performance impact . (logging procedure should be safe). A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 4

  7. Contribution (1): building a “good” benign data collection We performed a large scale “real” data collection of system calls. We collected data for several weeks and from different real users . Our dataset contains: 1.5 billion of system calls. 242 applications. 362,000 processes executions. A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 5

  8. System data collector Data-Collector Data Description <timestamp, program, pid, ppid, system call, args, result> A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 6

  9. System data collector Kernel collector logs 79 different system calls 5 categories: 25 related to files, 23 related to registries, 1 related to networking, 5 related to memory sections. Kernel collector protects the user’s private data that are obfuscated with a random value: Pathnames that do not belong system-path (e.g. C: \ Documents and Settings ), All registry keys below the user-root registry key (HKLM) All IP addresses. Log collector A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 7

  10. System data collector Usage Data System calls Processes Machine Applications � × 10 6 � � × 10 3 � (GB) 1 office 18.0 285 55.1 90 2 home 4.5 70 22.4 87 3 home 5.6 89 17.7 46 4 prod. 32.0 491 110.9 41 5 prod. 34.0 514 125.6 42 6 lab. 14.0 7 2.8 73 7 home 1.3 19 3.7 49 8 home 1.2 18 3.0 22 9 dev. 1.6 27 8.5 47 10 dev. 2.3 36 12.9 26 Total 114.5 1,556 362.6 242 A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 8

  11. Contribution (2): Studying diversity of system calls We analyze the diversity of the system call data in relationship to a particular model used to capture program behaviors. We cast the problem of studying the diversity of our data set as the problem of understanding whether a model is able to capture the data in a precise fashion . A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 9

  12. n-gram models We use n-grams as the basic technique to models system calls . The n-gram model has been used as part of many different security solutions. n-grams were used to model program activity to detect software exploits and to identify malicious code in network payloads. A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 10

  13. n-gram model example n-gram sequence of system calls invoked by the running program with a sliding window of size n . application invokes 5 system call: < 12 , 3 , 17 , 9 , 11 > the 3-gram { < 12 , 3 , 17 > , < 3 , 17 , 9 > , < 17 , 9 , 11 > } . A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 11

  14. n-gram model Training: we find all n-grams that appear in some of the malware models but not in any of the models built for the benign programs. For malware model we used 10,000 samples from Anubis system. Detection: Using the “unique” n-grams we can perform detection. When benign programs contain more that k instances of n-grams that are considered malicious. A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 12

  15. 2-gram model detection results A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 13

  16. 3-gram model detection results A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 14

  17. 4-gram model detection results A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 15

  18. n-gram model detection results We examined the number of unique n-grams that can be found in each of the 242 different applications that we observe. Under the assumption that n-grams are a good model to capture program behavior in general, we would expect that the number of such unique sequences is low. A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 16

  19. n-gram model detection results Unique n-gram analysis 1000 Unique n-gram number 100 10 1 0 50 100 150 200 Application A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 17

  20. n-gram model detection results Unique n-gram analysis 1000 Interestingly, those applications for which we found the largest Unique n-gram number number of unique n-grams are also those that are frequently 100 used (the top-5 applications were explorer.exe, svchost.exe, acrotray.exe, firefox.exe, and iexplore .exe) !!! 10 1 0 50 100 150 200 Application A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 17

  21. Contributions (3): Access activity model The intuition is that benign programs in general follow certain ways in which they use the OS resources. To capture normal interactions with the filesystem and the Windows registry, we propose access activity model specifies a set of labels for OS. An access activity model specifies a set of labels for operating system resources (files and registries). A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 18

  22. Access activity model A label L is a set of access tokens { t 0 , t 1 , . . . , t n } . Each token t is a pair � a , op � . The first component a represents the application, the second component op represents the type of access). The possible values for the operation component of an access token are read , write , and execute for file-system resources (directories), and read and write for registry sub-keys. A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 19

  23. Virtual filesystem In the first step we build a unique virtual filesystem that includes all the file pathnames defined into the benign data logs files. Same filesystem is also build for the registries pathnames. A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 20

  24. Virtual filesystem C: \ dir \ sub1 \ foo � pA , read � A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 20

  25. Virtual filesystem C: \ dir C: \ dir \ sub1 \ foo � pA , read � sub1 , � pA , read � A. Lanzi , D. Balzarotti, C. Kruegel, M. Christodorescu, E. Kirda malware protection 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improving Generative Imagination in Object-Centric World Models Zhixuan Lin, Yi-Fu Wu, Skand,

Improving Generative Imagination in Object-Centric World Models Zhixuan Lin, Yi-Fu Wu, Skand,

Improving Generative Imagination in Object-Centric World Models Zhixuan Lin, Yi-Fu Wu, Skand, Bofeng Fu, Jindong Jiang, Sungjin Ahn Object-Centric Temporal Generative Models STOVE SCALOR SILOT OP3 (Kossen et al., 2019) (Jiang et al., 2019)

660 views • 18 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
TransMR: Data Centric Programming Beyond Data Parallelism Naresh Rapolu Karthik Kambatla Prof.

TransMR: Data Centric Programming Beyond Data Parallelism Naresh Rapolu Karthik Kambatla Prof.

TransMR: Data Centric Programming Beyond Data Parallelism Naresh Rapolu Karthik Kambatla Prof. Suresh Jagannathan Prof. Ananth Grama Limitations of Data-Centric Programming Models Data-centric programming models (MapReduce, Dryad etc.)

572 views • 14 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

567 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Info- -Centric Scenario Development Centric Scenario Development Info Presentation to 19 th

Info- -Centric Scenario Development Centric Scenario Development Info Presentation to 19 th

Info- -Centric Scenario Development Centric Scenario Development Info Presentation to 19 th ISMOR Oxford, UK 29 August 2002 William J. Krondak Michael P. Coville Abstract: The development of the Future Combat System (FCS) concepts within

303 views • 15 slides
S6357 Towards Efficient Communication Methods and Models for Scalable GPU-Centric Computing

S6357 Towards Efficient Communication Methods and Models for Scalable GPU-Centric Computing

S6357 Towards Efficient Communication Methods and Models for Scalable GPU-Centric Computing Systems Holger Frning Computer Engineering Group Ruprecht-Karls University of Heidelberg GPU Technology Conference 2016 About us JProf. Dr.

484 views • 33 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Towards malware inspired management frameworks J er ome Fran cois, Radu State and

Towards malware inspired management frameworks J er ome Fran cois, Radu State and

April, 8 2008 http://madynes.loria.fr/ Towards malware inspired management frameworks J er ome Fran cois, Radu State and Olivier Festor Introduction Malware for management Models Results Conclusion Outline 1 Introduction 2

513 views • 34 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology for some of these slides Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have already seen how code

671 views • 47 slides
# of true positives true positive rate = # of known positives (Proportion of actual positives

# of true positives true positive rate = # of known positives (Proportion of actual positives

True positive rate (Sensitivity) # of true positives true positive rate = # of known positives (Proportion of actual positives that are correctly identified) True negative rate (Specificity) # of true negatives true negative rate = # of known

475 views • 24 slides
Green Chemistry Student Resources Examples of What You Can Do! Lead or Join a Student led

Green Chemistry Student Resources Examples of What You Can Do! Lead or Join a Student led

beyondbenign green chemistry education Green Chemistry Student Resources Examples of What You Can Do! Lead or Join a Student led initiative ACS-GCI- encourage your Chemistry Club to get a green chemistry award Encourage your Chemistry

255 views • 7 slides
Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo

Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo

Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo Chakraborty 2 , Prateek Mittal 1 and Seraphin Calo 2 1 Princeton University 2 IBM Research ICML 2019 Federated learning (with a malicious agent) Federated

1.46k views • 59 slides
A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples Qiang Zeng ,

A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples Qiang Zeng ,

A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples Qiang Zeng , Jianhai Su, Chenglong Fu, Golam Kayas, Lannan Luo, Xiaojiang Du, Chiu C. Tan, and Jie Wu DSN 2019 2 3 Audio AE generation Open the front

353 views • 20 slides
HEAP BGP Observatory Johannes Zirngibl, Patrick Sattler, Markus Sosnowski, Georg Carle

HEAP BGP Observatory Johannes Zirngibl, Patrick Sattler, Markus Sosnowski, Georg Carle

Chair of Network Architectures and Services Department of Informatics Technical University of Munich HEAP BGP Observatory Johannes Zirngibl, Patrick Sattler, Markus Sosnowski, Georg Carle Acknowledgements: Johann Schlamp, Ralph Holz, Quentin

223 views • 10 slides
Forensic Markers of Elder Abuse Laura Mosqueda, M.D. Chair and Professor of Family Medicine and

Forensic Markers of Elder Abuse Laura Mosqueda, M.D. Chair and Professor of Family Medicine and

Forensic Markers of Elder Abuse Laura Mosqueda, M.D. Chair and Professor of Family Medicine and Geriatrics Keck School of Medicine of USC University of Southern California The Game Plan Introductory comments Age-related changes and how

417 views • 27 slides
Possible &amp; Impossible Infinities Michael Huemer owl232@earthlink.net Problem When is an

Possible &amp; Impossible Infinities Michael Huemer owl232@earthlink.net Problem When is an

Possible &amp; Impossible Infinities Michael Huemer owl232@earthlink.net Problem When is an infinite series impossible? 6 Infinite 3 False A Better Series Theories Theory Six Infinities The Truth Regress Series: P. Its true that P.

464 views • 30 slides

More recommend