malware defense ii
play

Malware Defense II TDDD17 Information Security, Second Course - PowerPoint PPT Presentation

Dec 16, 2022 •248 likes •760 views

Malware Defense II TDDD17 Information Security, Second Course Alireza Mohammadinodooshan Department of Computer and Information Science Linkping University TDDD17 - Malware Defense II 1/31/2020 2 What Has Been Covered Malware

  1. Malware Defense II TDDD17 – Information Security, Second Course Alireza Mohammadinodooshan Department of Computer and Information Science Linköping University

  2. TDDD17 - Malware Defense II 1/31/2020 2 What Has Been Covered … • Malware basics – Different types of functionality – Different infection Methods • AV cat and mouse game – Signatures based detection – More complex signatures and static heuristics – Static unpacking and emulation – Cloud-based detection – Machine learning detection

  3. TDDD17 - Malware Defense II 1/31/2020 3 Agenda • Mobile malware Specific challenges – – Specific risks – Security models and their effect on malware detection • iOS • Android Detection countermeasures – • Machine learning for malware detection – Motivation – Terminology – Learning types Machine learning-based malware detection challenges –

  4. TDDD17 - Malware Defense II 1/31/2020 4 Motivation • 3.5 billion smartphone users in the world in 2020 https://gs.statcounter.com/os-market-share

  5. TDDD17 - Malware Defense II 1/31/2020 5 Motivation • Using old versions of android • It is not surprising that Mobile platform became an appealing target for the malware authors. • Android malware variants grew 31% in a year and number close to 20 million https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf

  6. TDDD17 - Malware Defense II 1/31/2020 6 Mobile Malware Definition • Malicious software designed to attack mobile devices – Phone – Tablet – Watch – TV

  7. TDDD17 - Malware Defense II 1/31/2020 7 Samples of Mobile Malware • iOS stock – PawnStorm.A • Able to upload GPS location, contact list, photos to a remote server. – YiSpecter • Able to download, install and launch arbitrary apps • Android – Android/Filecoder.C • Able to spread via text messages and contains a malicious link. Encrypts all of your local files in exchange for a ransom between $94 and $188. Plankton – • Communicates with a remote server, downloads and install other applications and sends premium SMS messages https://forensics.spreitzenbarth.de/

  8. TDDD17 - Malware Defense II 1/31/2020 8 Mobile Malware Specific Challenges 1. Lots of users – Botnets 2. More personalized and privacy concerns – Banking info – Personal Photos – Contact info 3. Widespread access to networks – 4G – Wifi – Bluetooth

  9. TDDD17 - Malware Defense II 1/31/2020 9 Mobile Malware Specific Challenges 4. Less computation power – Limited capabilities for on-device detection 5. Almost exclusively trojans – Repackaged apps • It is easier to reverse engineer Android apps • A very simple technique is to replace the advertisement logic and re-bundle and publish the app – Fake apps also exist!

  10. TDDD17 - Malware Defense II 1/31/2020 10 Mobile Malware Specific Challenges 6. Due to limited computation power, most of the trust in apps is moved to app stores to analyze the apps – While for the 3 rd party stores and somehow even for the google play store, this is a mistrust(we will elaborate on this … ) – Attackers also have the motivation to deliver their malware through stores(official or third party) – Drive-by-downloads also exist, but are rare 7. As the Android ’ s kernel is open source, attackers have a better understanding of its vulnerabilities if they exist

  11. TDDD17 - Malware Defense II 1/31/2020 11 Mobile Malware Specific Challenges 8. Harder to detect with 3 rd party AV on the device compared to PC malware due to stronger isolation between apps – Memory isolation – User isolation • Each app is treated as a separate user • Applications cannot interact with each other, and they have limited access to the system as well as other apps resources

  12. TDDD17 - Malware Defense II 1/31/2020 12 Mobile Malware Risks • System damage – Battery draining – Disabling system functions • Block calling functionality • Economic – Sending SMS or MMS messages to premium numbers – Dialing premium numbers – Deleting important data Peng, S., Yu, S., & Yang, A. (2013). Smartphone malware and its propagation modeling: A survey. IEEE Communications Surveys & Tutorials, 16(2), 925-941

  13. TDDD17 - Malware Defense II 1/31/2020 13 Mobile Malware Risks • Information leakage – Privacy – Stealing bank account information • Disturbing mobile networks – Denial-of-service (DoS)

  14. TDDD17 - Malware Defense II 1/31/2020 14 iOS Security Model • System Security – Startup and updates are authorized • Data security – File-level data protection uses strong encryption keys derived from the user’s unique passcode. • App security – Application run in their sandboxes. – More important than this … https://developer.apple.com/app-store/review/

  15. TDDD17 - Malware Defense II 1/31/2020 15 iOS Security Model • Before releasing on store they go through a strict vetting process – Manual testing – Static analysis – Apps can not do actions outside of what they claim

  16. TDDD17 - Malware Defense II 1/31/2020 16 Android Architecture • Hardware Abstraction Layer (HAL) – provides standard interfaces that make the device hardware capabilities available to the higher-level Java API framework. • Android Runtime – For new Android devices, each app runs in its own process and with its own instance of the Android Runtime (ART). Before ART, the Dalvik VM has been used • Native C/C++ Libraries It is possible to have compiled c/c++ code – packaged with an Apk which can be called through Java Native Interface (JNI) https://developer.android.com/guide/platform

  17. TDDD17 - Malware Defense II 1/31/2020 17 Android Application Compiling Native https://justamomentgoose.wordpress.com/2013/06/04/android-started-note-2-android-file- apk-decompile/

  18. TDDD17 - Malware Defense II 1/31/2020 18 Androidmanifest.xml • Provides the essential information to the Android system regarding this app – Minimum android API – Linked libraries – Components, activities, services, … – Required permissions

  19. TDDD17 - Malware Defense II 1/31/2020 19 Android Security Model • Application Sandboxing – Android automatically assigns a unique UID to each app at installation – App is allowed to access : • Own files • World-accessible resources – More access : • Managed through defining in the androidmanifest.xml – <uses-permission android:name="android.permission.READ_PHONE_STATE " />

  20. TDDD17 - Malware Defense II 1/31/2020 20 Android Security Model • Vetting process – Does not require an exhaustive app vetting process • More lenient comparing to iOS – Apps are dynamically tested with a Google security service known as Bouncer. • The results are combined with the output coming from the google reputation system – Researchers have shown the feasibility of fingerprinting Bouncer • Android ID. • phone number • … . • Check John Oberheide and Charlie Miller ’ s work – Malware may be able to bypass Bouncer • They have the motivation to bypass it because they want not to be detected by it. So if they detect that they are running in bouncer they do not show their actual behavior

  21. TDDD17 - Malware Defense II 1/31/2020 21 Mobile Malware Detection • Static Code Analysis – Signature-Based Technique • Specific strings or patterns in the byte code • Extracting the strings is straightforward – Permission-Based Technique • Analysing the requested permissions to identify the potential malware samples – Dalvik Bytecode-Based Technique • Analysing the byte code to identify the malicious Android samples(API calls, data flows ,…)

  22. TDDD17 - Malware Defense II 1/31/2020 22 Mobile Malware Detection • Dynamic Behavior Analysis – Sequence of system calls – Accessed files • Hybrid Analysis

  23. TDDD17 - Malware Defense II 1/31/2020 23 Malware Detection Countermeasures • Static – Obfuscation • Making the byte code hard to understand • Making signature or even some static heuristics-based analysis harder – Packing • Dynamic – Sandbox detection • Many of the sandboxes still do not have real device behaviors – E.g. do not support GPS or do not have a real GPS accuracy

  24. TDDD17 - Malware Defense II 1/31/2020 24 Obfuscation • Identifier renaming – garble the key identifiers used in their source code. e.g., ’a’, ‘b’, ‘ aa ’, ‘ab’, ‘ ac ’ • String encryption – Replacing the constant strings in the dex file with their encrypted form and adding the code to decrypt them on the fly • Control flow obfuscation: changing the logical flow of the program Injecting dead code – obj = benign() var1 = 10 – Re-ordering statements var2 = [var1 for i in range(10)] – Inserting opaque predicates. if var1 == var2[0]: • It is always true or false obj = malware() obj.load() • Malware author knows this • But it is hard for the analyst to follow and find the value

  25. TDDD17 - Malware Defense II 1/31/2020 25 Packing

  26. Machine Learning for Malware Analysis

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security

IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security

IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code for applications and malware is not

1.1k views • 58 slides
malware analysis for the enterprise jason ross yesterday: impenetrable defense today:

malware analysis for the enterprise jason ross yesterday: impenetrable defense today:

malware analysis for the enterprise jason ross yesterday: impenetrable defense today: tourist attraction obligatory narcissism worked in IT security for &gt; 10 years employed with the BT ethical hacking team contribute to

841 views • 45 slides
Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index 1. Malware volume evolution 2. Malware Eras 3. Panda Adaptive Defense 1. What is it 2. Features &amp; Benefits 3. How does it work 4.

661 views • 47 slides
Virus Concepts and Terminology CS 4440/7440 Malware Analysis &amp; Defense Today } Take a look at

Virus Concepts and Terminology CS 4440/7440 Malware Analysis &amp; Defense Today } Take a look at

Virus Concepts and Terminology CS 4440/7440 Malware Analysis &amp; Defense Today } Take a look at this: } https://www.corelan.be/index.php/articles/ } Check out the Exploit Writing Tutorials } Starting Szor, Chapter 2. } Check out the Virus

1.34k views • 46 slides
Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand Raghunathan , and Niraj K. Jha Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA NEC Labs America,

410 views • 25 slides
Defense against the Dark Arts Overview / Terminology 1 malware evil software display a

Defense against the Dark Arts Overview / Terminology 1 malware evil software display a

Defense against the Dark Arts Overview / Terminology 1 malware evil software display a funny message send passwords/credit card numbers to criminals take pictures to send to criminals delete data hold data hostage insert/replace ads

1.17k views • 63 slides
File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis &amp; Defense

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis &amp; Defense

File Infection Techniques: File Resident Viruses CS 4440/7440 Malware Analysis &amp; Defense Bill Harrison Viruses: Online Resources } Symantec Virus Encyclopedia: http://securityresponse.symantec.com/avcenter/ vinfodb.html } McAfee Virus

1.06k views • 31 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Automatic Performance Tuning and Machine Learning Markus Pschel Computer Science, ETH Zrich

Automatic Performance Tuning and Machine Learning Markus Pschel Computer Science, ETH Zrich

Carnegie Mellon Automatic Performance Tuning and Machine Learning Markus Pschel Computer Science, ETH Zrich with: Frdric de Mesmay PhD, Electrical and Computer Engineering, Carnegie Mellon M arkus Pschel, ETH Zurich, 201 1

388 views • 38 slides
Probability &amp; Statistics Intro / Review NEU 560 Jonathan Pillow Lecture 6, part II 1

Probability &amp; Statistics Intro / Review NEU 560 Jonathan Pillow Lecture 6, part II 1

Probability &amp; Statistics Intro / Review NEU 560 Jonathan Pillow Lecture 6, part II 1 continuous probability distribution takes values in a continuous space, e.g., probability density function (pdf) : 2 discrete probability

431 views • 32 slides
Linear Transform Libraries Yevgen Voronenko, Frdric de Mesmay, and Markus Pschel Carnegie

Linear Transform Libraries Yevgen Voronenko, Frdric de Mesmay, and Markus Pschel Carnegie

Computer Generation of General Size Linear Transform Libraries Yevgen Voronenko, Frdric de Mesmay, and Markus Pschel Carnegie Mellon University, Pittsburgh, USA PROBLEM AND MOTIVATION

737 views • 40 slides
Tsing nghua hua University versity Introduction Deep learning has widely used in lots of

Tsing nghua hua University versity Introduction Deep learning has widely used in lots of

Deep ep500 500 BOF 2018 Jidong ong Zhai Tsing nghua hua University versity Introduction Deep learning has widely used in lots of areas Introduction A lot of deep learning frameworks, compute libraries and acceleration devices

371 views • 15 slides
Holographic models for QCD Elias Kiritsis University of Crete ( APC, Paris ) 1- Collaborators

Holographic models for QCD Elias Kiritsis University of Crete ( APC, Paris ) 1- Collaborators

String Theory and Extreme Matter Workshop Heildeberg, 15-20 March 2010 Holographic models for QCD Elias Kiritsis University of Crete ( APC, Paris ) 1- Collaborators My Collaborators Umut Gursoy (Utrecht) Ioannis Iatrakis (U. of Crete)

1.63k views • 135 slides
Learning agents Performance standard Critic Sensors Learning from Observations feedback

Learning agents Performance standard Critic Sensors Learning from Observations feedback

Learning agents Performance standard Critic Sensors Learning from Observations feedback Environment changes Chapter 18, Sections 13 Learning Performance element element knowledge learning goals experiments Problem generator

174 views • 6 slides
Methods for handling uncertainty Default or nonmonotonic logic: Assume my car does not have a

Methods for handling uncertainty Default or nonmonotonic logic: Assume my car does not have a

Methods for handling uncertainty Default or nonmonotonic logic: Assume my car does not have a flat tire Assume A 25 works unless contradicted by evidence Uncertainty Issues: What assumptions are reasonable? How to handle contradiction? Rules

137 views • 10 slides
Architecture in practice Actor Model and Event Sourcing combined with Security October 2017 by

Architecture in practice Actor Model and Event Sourcing combined with Security October 2017 by

FLYNT Architecture in practice Actor Model and Event Sourcing combined with Security October 2017 by Stefan Thiel, Enterprise Architect Stefan myself FLYNT history and stats 2014 2015 March 2017 April 2017 July 2017 July 2017

667 views • 24 slides

More recommend