behavioral clustering of http based malware and signature
play

Behavioral Clustering of HTTP-based Malware and Signature Generation - PowerPoint PPT Presentation

Jan 03, 2024 •285 likes •601 views

Behavioral Clustering of HTTP-based Malware and Signature Generation using Malicious Network Traces Roberto Perdisci (1,2) , Wenke Lee (1,2) , Nick Feamster (1) (1) (2) USENIX NSDI 2010 Malware = Malicious Software Most modern cyber

  1. Behavioral Clustering of HTTP-based Malware and Signature Generation using Malicious Network Traces Roberto Perdisci (1,2) , Wenke Lee (1,2) , Nick Feamster (1) (1) (2) USENIX NSDI 2010

  2. Malware = Malicious Software ● Most modern cyber crimes are carried out using malicious software – Spam , Identity Theft , DDoS ... ● Many different types of malware – Trojans – Bots – Spyware – Adware – Scareware ...

  3. Traditional AVs are not enough! AV scan Malware Original Malware .exe Benign Executable Packing (obfuscation) Hidden Malware

  4. What can we do to detect malware? ● Most malware need a network connection to perpetrate malicious activities – Bots need to contact C&C server, send spam, etc... – Spyware need to exfiltrate private info – Trojan droppers need to download further malicious software ... ● Variants of the same malware can evade AVs – When executed they generate similar malicious behavior GET /in.php?affid=101 POST /jump2/?affiliate=boo1 GET /in.php?affid=132 POST /jump2/?affiliate=boo3 obfuscation GET /in.php?affid=123 engine Honeypot POST /jump2/?affiliate=boo2 No AV detection Similar network behavior

  5. Our Approach ● Detect the Network Behavior of Malware IDS Alarm Admin – Complement existing host-based detection systems – Improve “coverage”

  6. Web-based Malware ● Use HTTP protocol (2009 – source: Team Cymru) ● Bypass existing HTTP-C&C network defenses – Firewalls IRC-C&C ● Web kits for malware control available Enterprise Network FW Web-Proxy

  7. Detecting Web-based Malware Enterprise Network FW Web-Proxy IDS Malware detection models Behavioral Network Analysis Admin Malware Collection

  8. System Overview Malware Families 2 1 Behavioral Clustering 1 3 3 2 Malware Traffic : GET /in.php?affid=94901&url=5&win=Windows%20XP+2.0&sts=|US|1|6|4|1|284|0 1 GET /in.php?affid=43403&url=5&win=Windows%20XP+2.0&sts= 2 3 GET /in.php?affid=94924&url=5&win=Windows%20XP+2.0&sts=|US|1|6|8|1|184|0 Malware Detection Signature : GET /in\.php\?affid=.*&url=5&win=Windows%20XP\+2\.0&sts=.*

  9. Behavioral Malware Clustering ● Related Work (host-level behavior) – Automated analysis of Internet malware [Bailey et al., RAID 2007] – Scalable malware clustering [Bayer et al., NDSS 2009] – Malware indexing using function-call graphs [Hu et al., CCS 2009] ● Our approach – Focus on network-level behavior we want network signatures – Better malware detection signatures than using host-level behavior

  10. Network Behavioral Clustering Malware Traces Coarse-grained Fine-grained Meta-clusters ● Three-steps clustering refinement process ● Good trade-off between efficiency and accuracy

  11. Network Behavioral Clustering Malware Traces Coarse-grained Fine-grained Meta-clusters GET /bins/int/9kgen_up.int?fxp=6d HTTP/1.1 User-Agent: Download Host: X1569.nb.host192-168-1-2.com Cache-Control: no-cache HTTP/1.1 200 OK Connection: close Server: Yaws/1.68 Yet Another Web Server Date: Mon, 15 Mar 2010 11:47:11 GMT Content-Length: 573444 Content-Type: application/octet-stream Honeypot

  12. Network-level Clustering Malware Traces Coarse-grained Fine-grained Meta-clusters Statistical Features # GET req # POST req avg(len(url)) Hierarchical avg(len(data_sent)) Clustering avg(len(response)) ...

  13. Network-level Clustering Malware Traces Coarse-grained Fine-grained Meta-clusters Structural Features Hierarchical GET /in.php?affid=94900 Clustering GET /bins/int/9kgen_up.int?fxp=6dc23 POST /jump2/?affiliate=boo1 POST /trf?q=Keyword1&bd=-5%236 Malware Trace M 1 Malware Trace M 2 GET /in.php?affid=94900 GET /index.php?v=1.3&os=WinXP d(M 1 ,M 2 ) GET /bins/int/9kgen_up.int?fxp=6dc23 GET /kgen/config.txt POST /jump2/?affiliate=boo1 POST /bots/command.php?a=6.6.6.6 POST /trf?q=Keyword1&bd=-5%236 POST /attack.php?ip=10.0.1.2&c=dos

  14. Network-level Clustering Malware Traces Coarse-grained Fine-grained Meta-clusters ● Meta-clustering recovers from possible mistakes made in previous steps ● Improves overall quality of malware clusters and malware detection models

  15. Network-level Clustering Malware Traces Coarse-grained Fine-grained Meta-clusters Compute Measure Centroids Distance d(C 1 ,C 2 ) Hierarchical Clustering Centroid GET /in\.php\?affid=.* GET /in.php?affid=234 GET /bins/in\.int\?fxp=.* GET /bins/in\.int?fxp=02 POST /j\?affiliate=boo.* POST /j?affiliate=boo1 Token POST /trf\?q=bd=.*%23.* POST /trf?q=bd=-1%236 Subsequences Algorithm

  16. Signature Generation Signature Set Malware Families GET /in\.php\?affid=.* Token GET /bins/int/9kgen_up\.int\?fxp=.* Subsequences POST /jump2/\?affiliate=boo.* POST /trf\?q=Keyword.*&bd=.*%23.* Algorithm Polygraph IEEE S&P 2005 Enterprise Network

  17. Experimental Results ● Malware Dataset – 6 months of malware collection (Feb-Jul 2009) – ~ 25k distinct real-world malware samples ● Clustering Results Dataset Samples Malware Modeled Signatures Time Families Samples Feb-2009 4,758 234 3,494 446 ~8h Compact and well Cluster Validity Separated Clusters Analysis

  18. Experimental Results Signature Set Malware Clusters Honeypot Malware Set IDS GET /in\.php\?affid=.* GET /bins/int/9kgen_up\.int\?fxp=.* POST /jump2/\?affiliate=boo.* POST /trf\?q=Keyword.*&bd=.*%23.* Detection Results Detection Test on All Samples Feb09 Mar09 Apr09 May09 Jun09 Jul09 Sig. Feb09 85.9% 50.4% 47.8% 27.0% 21.7% 23.8% Detection Test on Malware undetected by commercial AVs Feb09 Mar09 Apr09 May09 Jun09 Jul09 Sig. Feb09 54.8% 52.8% 29.4% 6.1% 3.6% 4.0% Sig. Feb09 No False Alerts → Tested on 12M legitimate HTTP queries

  19. Comparison with other approaches Signature extracted from reduced malware set of ~2k malware samples Malware Set Coarse-grained Fine-grained Meta-clusters Feb09 Mar09 78.6% 48.9% Malware Set Fine-grained Feb09 Mar09 Using only 60.1% 35.1% fine-grained clustering Malware Set Host-based Feb09 Mar09 Using approach proposed Behavioral in [Bayer et al. NDSS 2009] 56.9% 33.9% Clustering

  20. Conclusion ● Novel behavioral malware clustering system ● Focus on network-level behavior ● Find malware families ● Trade-off between efficiency and accuracy ● Better detection models compared to using host-level behavioral clustering approaches ● Malware signatures complement existing host- level malware detection approaches

  21. "If I haven't said this enough, this tool is so badass Roberto... It does an awesome job correlating and clustering these samples" Sean M. Bodmer, CISSP CEH Senior Research Analyst Damballa, Inc.

  22. Thank You! Q&A? perdisci@gtisc.gatech.edu

  23. Appendix

  24. AV malware detection stats Source: Oberheide et al., USENIX Security 2008

  25. Real-World Deployment ● Deployed in large enterprise network – ~ 2k-3k active nodes – 4 days of testing ● Findings – 25 machines infected by spyware – 19 machines infected by scareware (fake AVs) – 1 bot -compromised machine – 1 machine compromised by banker trojan

  26. Cluster Validity Analysis Malware Cluster McAfee Avira Trend Micro M1 M1 : W32/Virut .gen WORM/Rbot .50176.5 PE_VIRUT .D-1 M2 : W32/Virut .gen WORM/Rbot .50176.5 PE_VIRUT .D-2 M5 M8 M3 : W32/Virut .gen W32/Virut .Gen PE_VIRUT .D-4 M4 : W32/Virut .gen W32/Virut .X PE_VIRUT .XO-2 M2 M3 M5 : W32/Virut .gen WORM/Rbot .50176.5 PE_VIRUT .D-2 M6 M6 : W32/Virut .gen W32/Virut .H PE_VIRUT .NS-2 M7 M7 : W32/Virut .gen WORM/Rbot .50176.5 PE_VIRUT .D-2 M4 M8 : W32/Virut .gen WORM/Rbot .50176.5 PE_VIRUT .D-1 AV-Label Graph 5 M_W32/Virut Cohesion Index 3 1- 1- 8 8 0 A_W32/Virut A_WORM/Rbot Separation Index 3 5 1- 1- T_PE_VIRUT 8 8

  27. Experimental Results 6 months malware collection → over 25k distinct samples Compact and well Separated Clusters Cluster Validity Analysis

  28. Signature Generation and Pruning IDS IDS GET /in\.php\?affid=.* GET /in\.php\?affid=.* GET /in\.php\?affid=.* GET /bins/int/9kgen_up\.int\?fxp=.* GET /bins/int/9kgen_up\.int\?fxp=.* GET /bins/int/9kgen_up\.int\?fxp=.* GET /img/logo.jpg GET /img/logo.jpg POST /jump2/\?affiliate=boo.* POST /jump2/\?affiliate=boo.* POST /jump2/\?affiliate=boo.* POST /trf\?q=Keyword.*&bd=.*%23.* POST /trf\?q=Keyword.*&bd=.*%23.* POST /trf\?q=Keyword.*&bd=.*%23.* GET /index\.asp\?version=.* GET /index\.asp\?version=.* Final Final Malware Malware Original Signature Set Original Signature Set Legitimate Pruned Signature Set Clusters Clusters Traffic Enterprise Network

  29. Experimental Results Malware Detection rate (all samples) Detects significant fraction of current and future malware variants False Positives as measured on 12M legitimate HTTP requests from 2,010 clients “Zero-Day” Malware Detection rate Complements traditional AV detection systems

  30. Comparison with other approaches Malware Traces Coarse-grained Fine-grained Meta-clusters Signature Generation Reduced dataset of ~4k malware samples net-clusters = our three-step clustering approach net-fg-clusters = only fine-grained clustering sys-clusters = using approach proposed in [Bayer et al. NDSS 2009]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7, 2017 Signature-based Anti-Virus Systems By far, the most popular weapon against cyber attacks is signature-based antivirus software. When

709 views • 12 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng,

Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng,

Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng, Feng Li, Xukai Zou, and Jie Wu 1 / 47 Proximity malware Definition. Proximity malware is a malicious program which propagates

618 views • 47 slides
Finding Clusters Types of Clustering Approaches: Linkage Based, e.g. Hierarchical Clustering

Finding Clusters Types of Clustering Approaches: Linkage Based, e.g. Hierarchical Clustering

Finding Clusters Types of Clustering Approaches: Linkage Based, e.g. Hierarchical Clustering Clustering by Partitioning, e.g. k-Means Density Based Clustering, e.g. DBScan Grid Based Clustering Compendium slides for Guide to Intelligent

1.32k views • 82 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
Alpha Presentation Next Generation Malware Detection, Clustering and Heuristics The Capstone

Alpha Presentation Next Generation Malware Detection, Clustering and Heuristics The Capstone

Alpha Presentation Next Generation Malware Detection, Clustering and Heuristics The Capstone Experience Team Proofpoint George Zhao Yash Patel Graham Thomas Brad Doherty Crystal Lewis Department of Computer Science and Engineering

761 views • 10 slides
Project Plan Next Generation Malware Detection, Clustering and Heuristics The Capstone

Project Plan Next Generation Malware Detection, Clustering and Heuristics The Capstone

Project Plan Next Generation Malware Detection, Clustering and Heuristics The Capstone Experience Team Proofpoint Crystal Lewis Yash Patel George Zhao Graham Thomas Brad Doherty Department of Computer Science and Engineering Michigan

402 views • 11 slides
Malware Behavioral Detection by Attribute-Automata using Abstraction from Platform and Language

Malware Behavioral Detection by Attribute-Automata using Abstraction from Platform and Language

Malware Behavioral Detection by Attribute-Automata using Abstraction from Platform and Language JACOB Grgoire 1/2 , DEBAR Herv 1 , FILIOL Eric 2 1 Orange Labs / France Tlcom R&D, Security and Trusted Transactions (MAPS/STT). 2

327 views • 21 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based malware: Exploit kits Fake AV Ransomware Today (continuation) How Malware Spreads Adware Computer Virus A type of malicious

647 views • 23 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Outline Linkage-based Clustering Motivation Definitions Clustering with Semantic

Outline Linkage-based Clustering Motivation Definitions Clustering with Semantic

Outline Linkage-based Clustering Motivation Definitions Clustering with Semantic Links Applications Algorithms SimRank Yin X., Han J. and Yu P. S., 2006, LinkClus: Efficient ReCoM Clustering via Heterogeneous

221 views • 8 slides
Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos VU University Amsterdam DIMVA 2014 Introduction Trigger-Based Malware Trigger-based malware (TBM) remains dormant until a specific trigger E.g.

586 views • 14 slides
Outline Background Research Questions Experimental Implementation

Outline Background Research Questions Experimental Implementation

Mohammadbagher Fotouhi, Derek Chen Wes Lloyd 1 December 9, 2019 School of Engineering and Technology, University of Washington, Tacoma, Washington USA WOSC 2019 : 5th IEEE Workshop on Serverless Computing Outline Background Research

411 views • 15 slides
Building RESTful Web Services with Erlang and Yaws Steve Vinoski Member of Technical Staff

Building RESTful Web Services with Erlang and Yaws Steve Vinoski Member of Technical Staff

Building RESTful Web Services with Erlang and Yaws Steve Vinoski Member of Technical Staff Verivue, Inc., Westford, MA USA http://steve.vinoski.net/ QCon San Francisco 20 November 2008 Erlang Functional programming language created in

820 views • 45 slides
Building RESTful Services with Erlang and Yaws Steve Vinoski Member of Technical Staff Verivue

Building RESTful Services with Erlang and Yaws Steve Vinoski Member of Technical Staff Verivue

Building RESTful Services with Erlang and Yaws Steve Vinoski Member of Technical Staff Verivue Westford, MA USA http://steve.vinoski.net/ vinoski@ieee.org Why Yaws? (Yet Another Web Server) http://www.sics.se/~joe/apachevsyaws.html

601 views • 34 slides
It was requested by people from all over the world and shared its knowledge. Bu But t th the

It was requested by people from all over the world and shared its knowledge. Bu But t th the

HE DATA KRAKEN is an ancient oracle of wisdom and knowledge. It was requested by people from all over the world and shared its knowledge. Bu But t th the e or orac acle le became hungry for information

665 views • 49 slides
HiPE Implemented and commercially supported by Ericsson, but the source code is free and

HiPE Implemented and commercially supported by Ericsson, but the source code is free and

Open Source Erlang (Erlang/OTP) Part of Ericssons Open Telecom Platform (OTP). HiPE Implemented and commercially supported by Ericsson, but the source code is free and High Performance Erlang available on-line ( www.erlang.org ).

325 views • 5 slides
Would that it were so simple: Yet another theory of privacy John Mitchell (Stanford) Avradip

Would that it were so simple: Yet another theory of privacy John Mitchell (Stanford) Avradip

Would that it were so simple: Yet another theory of privacy John Mitchell (Stanford) Avradip Mandal, Hart Montgomery, Arnab Roy (Fujitsu) It seems Allegras a noshow, which is simply a bore, but Ill partner you in bridge. 2 Would

553 views • 26 slides
AE-705: Introduction to Flight Takeoff & Landing by Hemashree Kakar Mechanical Engineering

AE-705: Introduction to Flight Takeoff & Landing by Hemashree Kakar Mechanical Engineering

AE-705: Introduction to Flight Takeoff & Landing by Hemashree Kakar Mechanical Engineering Department RTU Kota AE-705 Introduction to Flight Lecture-18 Capsule-09 Take-off and Landing AE-705 Introduction to Flight Lecture-18

856 views • 41 slides
CouchDB Thursday, 22 October 2009 Whos Talking Jan Lehnardt Erlang & JavaScript

CouchDB Thursday, 22 October 2009 Whos Talking Jan Lehnardt Erlang & JavaScript

Apache CouchDB Thursday, 22 October 2009 Whos Talking Jan Lehnardt Erlang & JavaScript Hacker, Web Enthusiast CouchDB Developer Director Relaxed, Inc. jan@apache.org / @janl & couch.io github.com/janl

1.06k views • 73 slides

More recommend