correlating low level events to identify high level bot
play

Correlating Low-Level Events To Identify High-Level Bot Behaviors - PowerPoint PPT Presentation

Nov 20, 2022 •333 likes •534 views

Correlating Low-Level Events To Identify High-Level Bot Behaviors Liz Stinson Matt Fredrikson Somesh Jha John Mitchell University of Wisconsin Stanford University Lorenzo Martignoni University of Milan Our anti-inspirations

  1. Correlating Low-Level Events To Identify High-Level Bot Behaviors Liz Stinson Matt Fredrikson Somesh Jha John Mitchell University of Wisconsin Stanford University Lorenzo Martignoni University of Milan

  2. Our anti-inspirations • “Personal firewalls”: identify when an app is Too ambiguous connecting to the network • Host-level methods that inundate us with information (all registry accesses/changes, Too noisy; devoid of meaning file accesses/changes) without providing a higher-level assessment of what’s going on

  3. Problem Statement • >5M “distinct, active” bot-infected machines detected between January - June, 2007 – “active”: carried out at least one attack – Symantec Threat Report, Volume XII • The *best* anti-virus signature scanners fail to detect anywhere from 30% to 50% of malware samples seen in the wild – NB: The best AV scanners may not be who you think they are…

  4. Problematic Asymmetry Malware writers know they have the work(create_sig) >> work(create_variant) advantage here and they exploit it. • AV companies decide which undetected Tens of thousands of novel malware to create sigs for using triage; must malware variants created annually exceed some prevalence threshold

  5. Existing behavior-based detection • Identify simple, mostly stateless “features” May identify incidental , rather (process execution characteristics); e.g. than fundamental behaviors – Which dir(s) does app live in? write to? App = shadow? – App survives reboot? Spawns/terminates other For ML-based approaches, may be processes? Is orphan? Hides? Its image has changed? � Traits malware have adapted to evade AV detect other ways to achieve same end (i.e. ways not included in model) • Statefully scan network packet contents • More general characterizations – Abstract: spyware monitors/reports user actions – Concrete: rootkits that load kernel modules

  6. Broad spectrum. How to evaluate? • How effectively does this method distinguish malicious behavior from benign? • How thoroughly is target behavior captured? • How complex is the identified behavior? • How fundamental is the behavior to the malware’s purpose?

  7. Goals • We want to identify high-level behaviors Sample bot commands – “downloading and executing a program” – “acting like a TCP server” http.execute <URL> <local_path> – “acting like a proxy” harvest.registry <reg_key> redirect <lport> <rhost> <rport> – “leaking sensitive data” startkeylogger • Bot-command-level actions • Via monitoring process execution • Distinguish malicious from benign instances of above by identifying if remotely initiated

  8. tcp connection Example: Acting like a proxy tcp connection

  9. Identifies ordering dependencies Not shown here edge constraints die operations socket duplication intervening irrelevant ops

  10. Including parameters and constraints Constraints can be pre-conditions or post-conditions

  11. tcp_client

  12. We’ll focus on this Refining

  13. (send_buf == recv_buf) • Too constrained; really want to express: the buffer that is sent is derived from a buffer that is received • Augment (add action to): on_match of net_recv set_tainted( recv_buf, sd2 /*taint label*/ ) • Change condition to: tainted( send_buf, sd2 /*taint label*/ )

  14. Modified graph

  15. .redirect <loc_port> <rem_host> <rem_port> Add constraints

  16. “Language” our system exports • Set of high-level primitives that can be combined to describe interesting behaviors – tcp_client , tcp_server , net_send , net_r ecv , create_exec_file , … • Using these, we can detect: – Leak private data (reg key values, file contents, system info, …) – Download and execute a program – Send email – Proxy – Keystroke logging

  17. Challenges • Posed by proprietary-OS environment – Opacity; identifying operations & constraints – Replicating OS semantics • Posed by syscall interposition generally • Posed by hypothetical attempts to evade – Split behavior across processes or across runs of the same application – Expropriate kernel functionality • e.g. raw sockets

  18. Summary � Target the behaviors that make bots useful � Identify the essential ops in those behaviors � Use data-flow analysis info variously � Good initial results against bots o Including: rbot, agobot, dsnxbot, spybot, ... o Use bot commands as inspiration o Resilient to encryption of bot communications � Good initial results against benign progs o When testing against specifications that encode remote-control requirement o Performing user-input tracking

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot;

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot;

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot; the human level to the physical level? &quot; the decide level to the action level? MDPs are great, search is great,

676 views • 31 slides
High-level languages High-level languages are not immune to these problems. Actually, the

High-level languages High-level languages are not immune to these problems. Actually, the

High-level languages High-level languages are not immune to these problems. Actually, the situation is even worse: the compiler might reorder/remove/add memory accesses; and then the hardware will do some relaxed execution. p. 1 Constant

512 views • 26 slides
High-level programming on the GPU with Julia Tim Besard (@maleadt) Yet another high-level

High-level programming on the GPU with Julia Tim Besard (@maleadt) Yet another high-level

Just compile it: High-level programming on the GPU with Julia Tim Besard (@maleadt) Yet another high-level language? julia&gt; function mandel(z) c = z Dynamically typed, high-level syntax maxiter = 80 for n = 1:maxiter if abs(z) &gt; 2

953 views • 44 slides
What is a Bro log? 1 What is a Bro log? A stream of

What is a Bro log? 1 What is a Bro log? A stream of

What is a Bro log? 1 What is a Bro log? A stream of high level entries that correspond to lower level events. An HTTP request/reply pair.

749 views • 16 slides
Autonomous Ground Systems CROSS CORRELATING GROUND-LEVEL PANORAMAS WITH SATELLITE IMAGERY FOR

Autonomous Ground Systems CROSS CORRELATING GROUND-LEVEL PANORAMAS WITH SATELLITE IMAGERY FOR

Autonomous Ground Systems CROSS CORRELATING GROUND-LEVEL PANORAMAS WITH SATELLITE IMAGERY FOR GPS-DENIED LOCALIZATION OF AUTONOMOUS GROUND VEHICLES Calvin Cheung Stanley Baek U.S. Army Tank Department of Electrical and Computer Army

397 views • 15 slides
Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

/INFOMOV/ Optimization &amp; Vectorization J. Bikker - Sep-Nov 2016 - Lecture 13: Practical Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and blind stupidity DotCloud: high-level (2)

1.26k views • 51 slides
Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

/INFOMOV/ Optimization &amp; Vectorization J. Bikker - Sep-Nov 2015 - Lecture 10: Practical Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and blind stupidity DotCloud: high-level (2)

440 views • 43 slides
HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem

HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem

HIGH-LEVEL SEARCH: FROM HYPER- HEURISTICS TO ALGORITHM SELECTION MUSTAFA MISIR HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem (~instance), Operates upon perform a search on algorithm space

526 views • 23 slides
Low-Level Memory Optimisations at the High-Level with Ownership-like Annotations Do you want

Low-Level Memory Optimisations at the High-Level with Ownership-like Annotations Do you want

Juliana Franco Martin Hagelin Tobias Wrigstad Sophia Drossopoulou The OHMM framework Low-Level Memory Optimisations at the High-Level with Ownership-like Annotations Do you want fast programs? More cores? More threads? Write better

330 views • 29 slides
UN High UN High UN High UN High- - - -Level Meeting on TB Level Meeting on TB Level Meeting

UN High UN High UN High UN High- - - -Level Meeting on TB Level Meeting on TB Level Meeting

UN High UN High UN High UN High- - - -Level Meeting on TB Level Meeting on TB Level Meeting on TB Level Meeting on TB Berlin, 18 May 2017 Berlin, 18 May 2017 Berlin, 18 May 2017 Berlin, 18 May 2017 Lucica Ditiu and Greg Paton, Stop TB

668 views • 20 slides
Bridging the gap between low level vision and high level tasks

Bridging the gap between low level vision and high level tasks

Bridging the gap between low level vision and high level tasks VALSE 2019-09-18 1 Outline Gated fusion network for single image dehazing , CVPR18 Benchmarks: RESIDE (dehazing), MPID

1k views • 45 slides
High-Level Synthesis Creating Custom Circuits from High-Level Code Hao Zheng Comp Sci &amp; Eng

High-Level Synthesis Creating Custom Circuits from High-Level Code Hao Zheng Comp Sci &amp; Eng

High-Level Synthesis Creating Custom Circuits from High-Level Code Hao Zheng Comp Sci &amp; Eng University of South Florida 1 Existing Design Flow Register-transfer (RT) synthesis Specify RT structure (muxes, registers, etc) Allows

1.29k views • 70 slides
INVESTOR + Second level PRESENTATION Third level Fourth level Fifth level F e b r u

INVESTOR + Second level PRESENTATION Third level Fourth level Fifth level F e b r u

Click to edit Master text styles + INVESTOR + Second level PRESENTATION Third level Fourth level Fifth level F e b r u a r y 2 0 1 8 Forward-looking statement This document contains certain forward-looking statements with

1.12k views • 31 slides
UYR Second level Third level Under Your Radar Fourth level Fifth level

UYR Second level Third level Under Your Radar Fourth level Fifth level

Click to edit Master title style Click to edit Master text styles UYR Second level Third level Under Your Radar Fourth level Fifth level Covert Channel &amp; Exfiltration Ali Hadi / Mariam Khader Princess Sumaya

277 views • 25 slides
Introduction to Python Python: very high level language, has high-level data structures built-in

Introduction to Python Python: very high level language, has high-level data structures built-in

Introduction to Python Python: very high level language, has high-level data structures built-in (such as dynamic arrays and dictionaries). easy to use and learn. Can be used for scripting (instead of Perl, awk), or for general programming.

414 views • 14 slides
How to Sell Process Improvement Second level Third level Fourth level Fifth

How to Sell Process Improvement Second level Third level Fourth level Fifth

Click to edit Master text styles How to Sell Process Improvement Second level Third level Fourth level Fifth level Molly Levy Manager, Developmental Quality Engineering DRS Technologies A Finmeccanica Company DRS

439 views • 20 slides
Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun

Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun

Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun Chauhan, Martin Swany School of Informatics and Computing Indiana University, Bloomington, USA 1 Fast Parallel Longest Common Subsequence with

495 views • 37 slides
Unit 5 State Machines 5.2 What is state? You see a DPS officer approaching you. Are you

Unit 5 State Machines 5.2 What is state? You see a DPS officer approaching you. Are you

5.1 Unit 5 State Machines 5.2 What is state? You see a DPS officer approaching you. Are you happy? It's late at night and your car broke down. It's late at night and you've been partying a little too hard. Your interpretation is

717 views • 26 slides
A Broad View of the Ecosystem of Socially Engineered Exploit Documents Stevens Le Blond,

A Broad View of the Ecosystem of Socially Engineered Exploit Documents Stevens Le Blond,

A Broad View of the Ecosystem of Socially Engineered Exploit Documents Stevens Le Blond, Cdric Gilbert, Utkarsh Upadhyay, Manuel Gomez Rodriguez and David Choffnes Challenges with measuring targeted attacks Low-volume, socially

1.11k views • 86 slides
Closing Town Hall Courtney Shurtleff | Director, Alumni Relations Merritt Crowley | Vice

Closing Town Hall Courtney Shurtleff | Director, Alumni Relations Merritt Crowley | Vice

Closing Town Hall Courtney Shurtleff | Director, Alumni Relations Merritt Crowley | Vice President, Advancement October 2020 Campus Life Engagement in a Virtual World Virtual Wine Tasting with Fontaine McFadden '05 Engagement in a Virtual

522 views • 9 slides
Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data Content provided by Presenter: Ray Cool, CEO PBSI Technology Solutions Webinar will begin at 10:00 Page 1 Series Goals Series Goals

146 views • 13 slides
Sound in the broader urban context Ronny Klboe Background 1980s Norwegian

Sound in the broader urban context Ronny Klboe Background 1980s Norwegian

Sound in the broader urban context Ronny Klboe Background 1980s Norwegian regulation: Large infrastructure projects should document their consequences Heavy investments in ring roads and tunnel projects Typical for road and

232 views • 19 slides
Engagement &amp; Motivation Across Learning Environments Benjamin Bell, Ph.D. Benjamin Nye, Ph.D.

Engagement &amp; Motivation Across Learning Environments Benjamin Bell, Ph.D. Benjamin Nye, Ph.D.

Toward a Generalized Appliance for Measuring Engagement &amp; Motivation Across Learning Environments Benjamin Bell, Ph.D. Benjamin Nye, Ph.D. Institute for Creative Technologies Elaine Kelsey Eduworks Corporation Framing the Problem

434 views • 15 slides
CVD Congressional Visit Day (Spring Semester) What? Travel to D.C Meet with Senators

CVD Congressional Visit Day (Spring Semester) What? Travel to D.C Meet with Senators

CVD Congressional Visit Day (Spring Semester) What? Travel to D.C Meet with Senators and Congressmen Discuss the importance of STEM funding Personal stories of how the funding is/has helped you When? Mid Spring

303 views • 4 slides

More recommend