mining malware specifications through static reachability
play

Mining malware specifications through static reachability analysis - PowerPoint PPT Presentation

Jul 31, 2023 •402 likes •870 views

Introduction Mining specifications Detecting malware Results References Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir Touili 2 1 INRIA Rocqencourt 2 LIAFA Univ. Paris 7 November 4, 2013

  1. Introduction Mining specifications Detecting malware Results References Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir Touili 2 1 INRIA Rocqencourt 2 LIAFA Univ. Paris 7 November 4, 2013

  2. Introduction Mining specifications Detecting malware Results References Motivation Our goal: Malware detection! Why? Social impact! • Malware in the news! • We are all collateral damage! Huge technological challenge! • 286 million new malware variants in 2010 ([Fossi et al.])

  3. Introduction Mining specifications Detecting malware Results References Motivation Our goal: Malware detection! Why? Social impact! • Malware in the news! • We are all collateral damage! Huge technological challenge! • 286 million new malware variants in 2010 ([Fossi et al.]) We need automation!

  4. Introduction Mining specifications Detecting malware Results References Existing anti-malware technology Emulation based • Time limited • Behavior hiding Signature matching based • Easy to avoid detection by syntactic manipulation!

  5. Introduction Mining specifications Detecting malware Results References Malware detection More robust techniques Solution One needs to analyse the behavior not the syntax of the program without executing it!

  6. Introduction Mining specifications Detecting malware Results References Malware detection More robust techniques Solution One needs to analyse the behavior not the syntax of the program without executing it! Model checking is a good candidate!

  7. Introduction Mining specifications Detecting malware Results References Model checking for malware detection Program | = Malicious behavior

  8. Introduction Mining specifications Detecting malware Results References Model checking for malware detection Program | = Malicious behavior Model?

  9. Introduction Mining specifications Detecting malware Results References Model checking for malware detection Program | = Malicious behavior Specification formalism Model? to describe behaviors?

  10. Introduction Mining specifications Detecting malware Results References Previous approaches on model checking for malware detection Use finite state models • (E.g. Kinder et al. [2010],Bonfante et al. [2008]) • But the model fails to capture stack behavior! Why is the stack important? Malware writers use the stack to obfuscate their behaviour.

  11. Introduction Mining specifications Detecting malware Results References Example of obfuscation E.g. call obfuscation: l 1 : push m l 1 : push m l 2 : push 0 l 2 : push 0 l 3 : push l r l 3 : call GetModuleFileName l 4 : jmp l g l r : . . . l r : . . . Import address table l g GetModuleFileName

  12. Introduction Mining specifications Detecting malware Results References Example of obfuscation E.g. call obfuscation: l 1 : push m l 1 : push m l 2 : push 0 l 2 : push 0 l 3 : push l r l 3 : call GetModuleFileName l 4 : jmp l g l r : . . . l r : . . . Import address table l g GetModuleFileName Our solution is: To use pushdown systems that is a finite state system + a stack

  13. Introduction Mining specifications Detecting malware Results References We use PDS (FSS + stack!) Pushdown systems ( PDS ) A PDS is a triple P = ( P , Γ , ∆) where: • P is a finite set of control points, • Γ is a finite alphabet of stack symbols, and • ∆ ⊆ ( P × Γ) × ( P × Γ ∗ ) is a finite set of transition rules. Configurations • A configuration � p , ω � of P is an element of P × Γ ∗

  14. Introduction Mining specifications Detecting malware Results References PDS for malware detection Since 2012 PDS have been used to perform malware detection! • FM [Song and Touili, 2012b] • TACAS [Song and Touili, 2012a] POMMADE tool (FSEN [Song and Touili, 2013]) • Logic to specify malicious behaviors. • Few malicious behaviors (discovered manually!)

  15. Introduction Mining specifications Detecting malware Results References PDS for malware detection Since 2012 PDS have been used to perform malware detection! • FM [Song and Touili, 2012b] • TACAS [Song and Touili, 2012a] POMMADE tool (FSEN [Song and Touili, 2013]) • Logic to specify malicious behaviors. • Few malicious behaviors (discovered manually!) Our contribution in this work is to Show how to automatically extract the malicious behaviors from a set of malware!

  16. Introduction Mining specifications Detecting malware Results References Model checking for malware detection Program | = Malicious behavior Specification?? PDS

  17. Introduction Mining specifications Detecting malware Results References Example of an email worm behavior Assembly fragment from Bagle malware l 1 : push m l 2 : push 0 l 3 : call GetModuleFileName . . . l 4 : push m l 5 : call CopyFile Self-replication!

  18. Introduction Mining specifications Detecting malware Results References System call dependency trees (SCDT) l 1 : push m l 2 : push 0 GetModuleFileName l 3 : call GetModuleFileName 1 2 ֌ 1 . . . 0 CopyFile l 4 : push m l 5 : call CopyFile Self-replication!

  19. Introduction Mining specifications Detecting malware Results References Model checking for malware detection To summarize Program | = Malicious behavior PDS SCDT

  20. Introduction Mining specifications Detecting malware Results References Roadmap Introduction Mining specifications Detecting malware Results

  21. Introduction Mining specifications Detecting malware Results References How to automatically discover malicious SCDTs from programs? Approach Learning! Given a: • set of already known malicious programs • set of already known benign programs The goal is To extract SCDT s and use statistical machinery to distinguish the malicious ones!

  22. Introduction Mining specifications Detecting malware Results References How to extract SCDTs from a program? 1. Model binaries as pushdown systems (mimic program behaviors)

  23. Introduction Mining specifications Detecting malware Results References How to extract SCDTs from a program? 1. Model binaries as pushdown systems (mimic program behaviors) 2. Static reachability analysis (discover system calls)

  24. Introduction Mining specifications Detecting malware Results References How to extract SCDTs from a program? 1. Model binaries as pushdown systems (mimic program behaviors) 2. Static reachability analysis (discover system calls) 3. Extract behaviors (discover data flows encoded as trees)

  25. Introduction Mining specifications Detecting malware Results References Learning malicious trees MalSCDT malicious behavior trees A malicious behavior tree is a tree that occurs frequently in malware extracted SCDT s! To compute frequent “subtrees” we use gSpan! We specialize the frequent subgraph algorithm presented in [Yan and Han, 2002] to the case of trees.

  26. Introduction Mining specifications Detecting malware Results References Roadmap Introduction Mining specifications Detecting malware Results

  27. Introduction Mining specifications Detecting malware Results References Model checking for malware detection In summary we want to verify that: Program | = Malicious behavior PDS MalSCDT

  28. Introduction Mining specifications Detecting malware Results References Recognizing MalSCDT A problem! SCDT extracted from MalSCDT program under test . . . . . . GetModuleFileName GetModuleFileName 2 ֌ 1 1 1 2 ֌ 1 . 0 CopyFile . 0 . CopyFile . . . Use automata with regexps! GetModuleFileName (q ∗ 1(0)q ∗ 2 ֌ 1(CopyFile) q ∗ ) → q fin

  29. Introduction Mining specifications Detecting malware Results References Teaching computers to detect malware Build malicious behaviors database 1. Build an hedge automaton A (recognizing MalSCDT )

  30. Introduction Mining specifications Detecting malware Results References Teaching computers to detect malware Build malicious behaviors database 1. Build an hedge automaton A (recognizing MalSCDT ) Malware detection 1. Model binary as PDS (mimic program behavior)

  31. Introduction Mining specifications Detecting malware Results References Teaching computers to detect malware Build malicious behaviors database 1. Build an hedge automaton A (recognizing MalSCDT ) Malware detection 1. Model binary as PDS (mimic program behavior) 2. Static reachability analysis (discover system calls)

  32. Introduction Mining specifications Detecting malware Results References Teaching computers to detect malware Build malicious behaviors database 1. Build an hedge automaton A (recognizing MalSCDT ) Malware detection 1. Model binary as PDS (mimic program behavior) 2. Static reachability analysis (discover system calls) 3. Extract SCDT (discover data flows encoded as a tree)

  33. Introduction Mining specifications Detecting malware Results References Teaching computers to detect malware Build malicious behaviors database 1. Build an hedge automaton A (recognizing MalSCDT ) Malware detection 1. Model binary as PDS (mimic program behavior) 2. Static reachability analysis (discover system calls) 3. Extract SCDT (discover data flows encoded as a tree) 4. Check wether SCDT belongs to A

  34. Introduction Mining specifications Detecting malware Results References Roadmap Introduction Mining specifications Detecting malware Results

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp, Saswat Anand, Alex Aiken Stanford University I Why mine specifications? Whole-program static analysis Application Whole-program static

992 views • 84 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New transactions, new friends, stop following somebody in T witter, But most data mining algorithms assume static data Even a minor change requires

925 views • 44 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/

What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/

What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/ Middlesex University With thanks to David Clark 2011/4/6 L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 1 / 21 Overview

1.3k views • 53 slides
Part II: Symbolic reachability for prefix rewriting Case study: Drawing skylines static Random r

Part II: Symbolic reachability for prefix rewriting Case study: Drawing skylines static Random r

Part II: Symbolic reachability for prefix rewriting Case study: Drawing skylines static Random r = new Random(); static void m() { if (r.nextBoolean()) { s(); right(); if (r.nextBoolean()) m(); } else { up(); m(); down(); } } static void s() {

973 views • 64 slides
SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj

SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj

SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj Giovanni Vigna B.S Manjunath Ezeanaka Kingsley CISC850 Cyber Analytics CISC850 Cyber Analytics Abstract Sigmal as a malware detection framework -

454 views • 17 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
A First Look at the Crypto-Mining Malware Ecosystem A Decade of Unrestricted Wealth and Profit

A First Look at the Crypto-Mining Malware Ecosystem A Decade of Unrestricted Wealth and Profit

A First Look at the Crypto-Mining Malware Ecosystem A Decade of Unrestricted Wealth and Profit Sergio Pastrana @THANKS: Slides design by Guillermo Suarez-Tangil Universidad Carlos III de Madrid https://arxiv.org/pdf/1901.00846.pdf 2

550 views • 24 slides
CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7, 2017 Signature-based Anti-Virus Systems By far, the most popular weapon against cyber attacks is signature-based antivirus software. When

709 views • 12 slides
Mining Malware Secrets Paul Black Arun Lakhotia Federation University University of Louisiana

Mining Malware Secrets Paul Black Arun Lakhotia Federation University University of Louisiana

Mining Malware Secrets Paul Black Arun Lakhotia Federation University University of Louisiana at Lafayette Introductions Paul Black Arun Lakhotia Malware Analyst 5 years Professor of Computer Science CEO, Cythereal,

754 views • 32 slides
Improving Malware Classification: Bridging the Static/Dynamic Gap Authors: Blake Anderson, Curtis

Improving Malware Classification: Bridging the Static/Dynamic Gap Authors: Blake Anderson, Curtis

Improving Malware Classification: Bridging the Static/Dynamic Gap Authors: Blake Anderson, Curtis Storlie, Terran Lane Vinit Singh 18 th April 2017 CISC850 Cyber Analytics CISC850 Cyber Analytics INTRODUCTION Why is there a need for

192 views • 16 slides
NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE Mariano Graziano, Davide Canali, Leyla Bilge, Andrea Lanzi and Davide Balzarotti Eurecom Symantec Research Labs Universit degli Studi di

695 views • 34 slides
Representing and Explaining Novel Concepts with Minimal Supervision Dr. Zeynep Akata 2 April

Representing and Explaining Novel Concepts with Minimal Supervision Dr. Zeynep Akata 2 April

Representing and Explaining Novel Concepts with Minimal Supervision Dr. Zeynep Akata 2 April 2019 1 Outline Motivating the Importance of Side Information (Generalized) Zero-Shot Learning with Side Information Deeply Explainable Artificial

884 views • 76 slides
ONOS Overview OPNFV Design Summit November 9, 2015 Brian O'Connor Open Networking Lab What is

ONOS Overview OPNFV Design Summit November 9, 2015 Brian O'Connor Open Networking Lab What is

ONOS Overview OPNFV Design Summit November 9, 2015 Brian O'Connor Open Networking Lab What is ONOS? Open Network Operating System (ONOS) is an open source SDN network operating system. Our mission is to enable Service Providers to build real

528 views • 13 slides
How a wave packet propagates at a speed faster than the speed of light A novel superluminal

How a wave packet propagates at a speed faster than the speed of light A novel superluminal

How a wave packet propagates at a speed faster than the speed of light A novel superluminal mechanism with high transmission and broad bandwidth Tsun-Hsu Chang ( ) Department of Physics, National Tsing Hua University Claim: The

454 views • 23 slides
Week 9: Model Building 2 Prediction and Causality Variable selection, BIC, forward-stepwise

Week 9: Model Building 2 Prediction and Causality Variable selection, BIC, forward-stepwise

BUS41100 Applied Regression Analysis Week 9: Model Building 2 Prediction and Causality Variable selection, BIC, forward-stepwise regression, model comparison and predictive validation Max H. Farrell The University of Chicago Booth School of

809 views • 54 slides
Yeni Kavramlar En Az Denetim ile Temsil Etme ve A cklama Zeynep Akata Bilim Akademisi -

Yeni Kavramlar En Az Denetim ile Temsil Etme ve A cklama Zeynep Akata Bilim Akademisi -

Yeni Kavramlar En Az Denetim ile Temsil Etme ve A cklama Zeynep Akata Bilim Akademisi - Bilkent Universitesi Yapay O grenme Yaz Okulu 2020 30 Haziran 2020 1 Outline Generalized Low-Shot Learning with Side-Information

1.2k views • 90 slides
Understanding Standards (with respect to Middleware) Pretty dull but important & relevant

Understanding Standards (with respect to Middleware) Pretty dull but important & relevant

Understanding Standards (with respect to Middleware) Pretty dull but important & relevant Disclaimer Some of the material in this presentation has been adopted from Open Standards and Security. David A. Wheeler. July 12, 2006.

535 views • 27 slides
DBpedia Ontology Enrichment for Inconsistency Detection and Statistical Schema Induction

DBpedia Ontology Enrichment for Inconsistency Detection and Statistical Schema Induction

DBpedia Ontology Enrichment for Inconsistency Detection and Statistical Schema Induction Presentation By Tung Do 1. Statistical Schema Induction 2. DBpedia Ontology Enrichment for Inconsistency Detection 22. Januar 2013 | TU Darmstadt | Tung Do

987 views • 37 slides
Me Meet eting ing 20 2019 19 Welcome and Chairs report Treasurers Report

Me Meet eting ing 20 2019 19 Welcome and Chairs report Treasurers Report

An Annua ual l Ge General ral Me Meet eting ing 20 2019 19 Welcome and Chairs report Treasurers Report Elect ection ion of Tr Trustees ees an and Off Officer icers Qu Ques estions ions & A & Ans

516 views • 26 slides

More recommend