compact explanation of why malware is bad
play

Compact Explanation of Why Malware is Bad Speaker: Wei Chen 1 Joint - PowerPoint PPT Presentation

Sep 24, 2023 •108 likes •426 views

Compact Explanation of Why Malware is Bad Speaker: Wei Chen 1 Joint Work with Charles Sutton 1 , David Aspinall 1 , Andrew D. Gordon 1 , 2 , Igor Muttik 3 , and Qi Shen 4 App Guarden Project 1 University of Edinburgh 2 Microsoft Research Cambridge

  1. Compact Explanation of Why Malware is Bad Speaker: Wei Chen 1 Joint Work with Charles Sutton 1 , David Aspinall 1 , Andrew D. Gordon 1 , 2 , Igor Muttik 3 , and Qi Shen 4 App Guarden Project 1 University of Edinburgh 2 Microsoft Research Cambridge 3 Intel Security 4 Peking University

  2. Android Applications

  3. Threats Around Android Applications Bank Trojans Premium SMS Locate Eavesdrop Root Access Botnet Control Steal Personal Information

  4. An Example: the Flashlight Application

  5. Flashlight: Some Comments from General Users “Why in the world would I want a flashlight app that collects so much info about me?” from a user. “This app is extremely bright and does its job well. I don’t know what others mean when they say that they have so many problems with it.” from another user.

  6. Flashlight: the Generated Behaviour Automaton

  7. Motivation & Goal ◮ Motivation : it is not really enough to simply identify an application as malware; we need to convince people the identification is correct and explain what it means. ◮ Goal : automatically generate compact explanations to a broad range of people by producing short paragraphs, compact behaviour automata, and statistical charts. ◮ Potential Benefits : help people get better understanding of potential threats hidden in mobile applications; provide hints for malware analysts before more expensive investigation; support automatic generation of security and anti-security policies, etc.

  8. Examples: Some Generated Explanations in Paragraphs ◮ This is a trojan which steals personal information from the infected device. It can be controlled over the web through HTTP. (an instance of Droidkungfu) ◮ It sends SMS messages to premium rated numbers. (an instance of Opfake) ◮ This application might be a Chatting application, but, after a USB massive storage is connected, it will: retrieve a class in a runnable package; read information about networks; connect to Internet. (an instance of Basebridge) ◮ This application is declared as an Anti-Virus application, but, it will: read your phone state after a phone call is made; read your phone state then connect to Internet; send SMS messages after a phone call is made. (an instance of Zitmo)

  9. � Examples: a Generated Explanation in Behaviour Automata SEND SMS, INTERNET SEND SMS, INTERNET SMS RECEIVED � q 0 � q 1 � q 2 (from instances of Ggtracker and Zitmo)

  10. Technical Challenges ◮ Formalisation : characterise and formalise an application’s behaviours precisely and efficiently. ◮ Learning : develop an effective and efficient method to learn unexpected behaviours from thousands of sample malware and benign applications. ◮ Explanation : decide whether a target application is malware, if so, automatically generate explanations from its unexpected behaviours. ◮ Evaluation : evaluate identified unexpected behaviours and generated explanations.

  11. The Approach: Formalisation ◮ We characterise an application’s behaviour by an extended B¨ uchi automaton, i.e., finite and infinite control-dependence sequences of events, actions, and annotated API calls, a behaviour automaton so-called. ◮ We have designed and implemented a static analysis tool to construct such a behaviour automaton directly from each Android application to approximate its behaviours. ◮ We have to consider a broad range of features of the Java and the Android framework, e.g., multi-threads, multi-entries, inter-procedural calls, callbacks, component life-cycles, inter-component communications, and runtime-registered listeners, etc.

  12. � � � � � � � � � The Approach: Formalisation AsyncTask: sendTextMessage AsyncTask: sendTextMessage MAIN click q 0 q 1 q 2 q 3 SMS RECEIVED Receiver: getLine1Number q 4 q 5 q 6 Receiver: getDeviceId Receiver: openConnection Receiver: openConnection (the behaviour automaton of an Android application)

  13. � � � � � � � � � The Approach: Formalisation SEND SMS MAIN click SEND SMS q 0 q 1 q 2 q 3 SMS RECEIVED READ PHONE STATE q 4 q 5 q 6 READ PHONE STATE INTERNET INTERNET (the abstract behaviour automaton of an Android application)

  14. The Approach: Learning ◮ An unexpected behaviour is a salient sub-automaton. ◮ A common pattern exhibited by malware instances in a human-decided malware family, which is rarely seen in benign applications. ◮ We have developed a learning-centred method to capture unexpected behaviours from thousands of malware instances across hundreds of families. ◮ Differentiate salient features by adding benign applications for training. F k = {⊕ A∈ G k A | ⊕ ∈ {− , ∩}} w (Σ | w j | + Σ log(1 + e − y i w T x i )) ∧ x i ∈ F | F k | min k F k ← { j ∈ F k | w j � = 0 } F k ⊗ F l = {A − B , A ∩ B , B − A | A ∈ F k ∧ B ∈ F l } U = { j ∈ F | w j < 0 }

  15. � The Approach: Learning SEND SMS, INTERNET SEND SMS, INTERNET SMS RECEIVED � q 0 � q 1 � q 2 (from instances of Ggtracker and Zitmo)

  16. The Approach: Learning ◮ A singular behaviour identified in a group of applications which have similar behaviours.

  17. The Approach: Learning Accessing Your Location normal singular

  18. The Approach: Learning Sending SMS Messages normal singular

  19. The Approach: Learning Context-Sensitive Training Fine-Grained Unexpected Groups Data Behaviours Training Clustering Auto_1 Group A Auto_2 Group B Auto_2 Pre-labelled Apps Auto_3 Group C ... ...

  20. The Approach: Explanation [Similarity] Check Generation Auto_1 Group B Templates Auto_x A Target Explanation Auto_2 Auto_y App Sentences Auto_a ◮ Present behaviour automata directly. ◮ Extract singletons, i.e., API calls, actions, and events, from automata, and search by keywords for sentences in malware analysis reports. ◮ Extract pairs, i.e., something happens before another thing, from automata, and feed them through pre-defined templates.

  21. The Approach: Explanation — Sentence Searching intercepts incoming sms messages and forwards them to a remote server including informations like imsi and imei these applications send premium sms messages the application will run in the background gathering sms activity and periodically send it to a proxy email address it sends sms messages to premium rated numbers and tries to hide this action from the malware investigators by using some kind of steganography this trojan steals personal information and receives commands via sms steals information sms messages imei imsi etc sending sms messages it sends sms messages to premium rated numbers it sends sms texts to all contacts on the device and sends an sms text to report its installation without the affected users knowledge and possibly resulting in data charges for the owner of the affected device allows an application to send sms messages allows an application to write sms messages sends sms messages to premium rated numbers this malware also sends sms messages sends sms spam messages afterwards the trojan sends sms messages to phone numbers listed in this configuration file this malware attempts to send premium rated sms messages the trojan gathers the following information from the compromised device sms messages phone number and the imei of the infected device it also sends sms messages

  22. The Approach: Explanation — Sentence Searching Choose the central sentence. � tfidf ( a , s , C ) , if a is a word of s ; V [ s ][ a ] = 0 , otherwise. � σ V ( s ) = cos ( θ V [ s ] , V [ t ] ) t ∈ C s ′ ∈ C σ V ( s ′ ) arg max

  23. The Approach: Explanation — Sentence Searching intercepts incoming sms messages and forwards them to a remote server including informations like imsi and imei these applications send premium sms messages the application will run in the background gathering sms activity and periodically send it to a proxy email address it sends sms messages to premium rated numbers and tries to hide this action from the malware investigators by using some kind of steganography this trojan steals personal information and receives commands via sms steals information sms messages imei imsi etc sending sms messages it sends sms messages to premium rated numbers it sends sms texts to all contacts on the device and sends an sms text to report its installation without the affected users knowledge and possibly resulting in data charges for the owner of the affected device allows an application to send sms messages allows an application to write sms messages sends sms messages to premium rated numbers this malware also sends sms messages sends sms spam messages afterwards the trojan sends sms messages to phone numbers listed in this configuration file this malware attempts to send premium rated sms messages the trojan gathers the following information from the compromised device sms messages phone number and the imei of the infected device it also sends sms messages

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why Attitude to Good Towards Explanation . . . Towards Explanation . . . People Is Not Always

Why Attitude to Good Towards Explanation . . . Towards Explanation . . . People Is Not Always

Formulation of the . . . Towards Explanation Why Attitude to Good Towards Explanation . . . Towards Explanation . . . People Is Not Always Commonsense . . . Positive: Explanation Based Home Page on Decision Theory Title Page

429 views • 6 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Why LINEX Our Explanation (cont-d) Our Explanation (cont-d) (Linear Exponential) Our

Why LINEX Our Explanation (cont-d) Our Explanation (cont-d) (Linear Exponential) Our

Empirical Fact Empirical Fact (cont-d) Our Explanation Why LINEX Our Explanation (cont-d) Our Explanation (cont-d) (Linear Exponential) Our Explanation (cont-d) Loss Functions? References Home Page Emilio Ramirez and Vladik Kreinovich

520 views • 8 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND &amp; CONTROL QUESTIONS &amp; ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
Empirical Power Law for Comment (cont-d) Our Explanation Company Losses: Our Explanation

Empirical Power Law for Comment (cont-d) Our Explanation Company Losses: Our Explanation

Formulation of the . . . Formulation of the . . . Comment Empirical Power Law for Comment (cont-d) Our Explanation Company Losses: Our Explanation (cont-d) Our Explanation (cont-d) A Probability-Based References Explanation Home Page

427 views • 9 slides
XAI in Machine Learning Problems Taxonomy Explanation by Design Black Box eXplanation Example

XAI in Machine Learning Problems Taxonomy Explanation by Design Black Box eXplanation Example

XAI in Machine Learning Problems Taxonomy Explanation by Design Black Box eXplanation Example of XAI For a Classification Task Guidotti, R.; Monreale, A.; Ruggieri, S.; Turini, F.; Giannotti, F.; and Pedreschi, D. 2018. A survey of methods

653 views • 52 slides
The POD file NAME iaoptions.config Main (and only) configuration file for JACoW.upload,

The POD file NAME iaoptions.config Main (and only) configuration file for JACoW.upload,

File Upload / Download Perl Scripts The five Perl scripts must be installed on the conference file server to enable authors and editors to upload and download manuscript and talk files. The file server must have an up-to-date version of

272 views • 9 slides
Internet Technology 14. VoIP and NAT Traversal Paul Krzyzanowski Rutgers University Spring 2013

Internet Technology 14. VoIP and NAT Traversal Paul Krzyzanowski Rutgers University Spring 2013

Internet Technology 14. VoIP and NAT Traversal Paul Krzyzanowski Rutgers University Spring 2013 April 29, 2013 2013 Paul Krzyzanowski 1 Session Initiation Protocol (SIP) Dominant protocol for Voice over IP (VoIP) RFC 3261 Allows

572 views • 40 slides
Metaprogramming &amp; JavaScript Object Proxies Prof. Tom Austin San Jos State University

Metaprogramming &amp; JavaScript Object Proxies Prof. Tom Austin San Jos State University

CS 252: Advanced Programming Language Principles Metaprogramming &amp; JavaScript Object Proxies Prof. Tom Austin San Jos State University ECMAScript Schism ECMAScript 4 was divisive A group broke off to create ECMAScript 3.1

480 views • 32 slides
Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis

Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis

Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis (gkastrinis@di.uoa.gr) Yannis Smaragdakis (yannis@smaragd.org) University of Athens, Greece ISSTA18, July 17, 2018, Amsterdam, Netherlands Dynamic

403 views • 23 slides
On E-Vote Integrity in the Case of Malicious Voter Computers Sven Heiberg Helger Lipmaa Filip

On E-Vote Integrity in the Case of Malicious Voter Computers Sven Heiberg Helger Lipmaa Filip

Motivation Rage against the Machine Our Solution On E-Vote Integrity in the Case of Malicious Voter Computers Sven Heiberg Helger Lipmaa Filip Van Laenen Cybernetica AS, Estonia Computas AS, Norway September 21, 2010 Heiberg, Lipmaa, Van

464 views • 18 slides
ExecScent: Mining for New C&amp;C Domains in Live Networks

ExecScent: Mining for New C&amp;C Domains in Live Networks

ExecScent: Mining for New C&amp;C Domains in Live Networks with Adap?ve Control Protocol Templates Terry Nelms 1,2 , Roberto Perdisci 3,2 , Mustaque Ahamad 2,4 1

506 views • 33 slides
Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine Free Haven

Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine Free Haven

Tor: Anonymous Communications for the Dept of Defense...and you. Roger Dingledine Free Haven Project Electronic Frontier Foundation http://tor.eff.org/ 17 September 2005 Talk Outline Motivation: Why anonymous communication? Myth 1:

703 views • 47 slides
A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau ( @obilodeau ) $ apropos Embedded Linux Malware Moose DNA (description) Moose Herding (the Operation) Whats New? Take Aways $ whoami Malware

1.19k views • 97 slides

More recommend