on static malware detection
play

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. - PowerPoint PPT Presentation

Oct 02, 2023 •418 likes •1.34k views

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

  1. On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13

  2. Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware

  3. Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a Malware detection is central computer system used to monitor technical problems in the aircraft was infected with malware important!!

  4. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature

  5. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable

  6. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment

  7. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval

  8. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature Solution: o Easy to get around Check the behavior (not the syntax) of o New variants of viruses with the same behavior cannot be detected by these techniques the program without executing it o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Static Analysis and Model Checking are good candidates

  9. Goal: Static Analysis and Model- checking for malware detection Binary code ╞ Malicious behavior ? Model? Specification formalism? Existing works: use finite automata to model the programs Stack?

  10. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : push L1 L0 : call f L’0: jmp f L1: … L1: … … … … … f : function f f : function f

  11. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system Important to analyse the program’s • Antiviruses determine malware by checking the calls stack to the operating systems. • Virus writers try to hide these calls. L0 : push L1 Solution: L0 : call f L’0: jmp f Use pushdown systems to model L1: … L1: … programs … … … … f : function f f : function f

  12. Pushdown Systems PDS = finite automaton + Stack P =(P, Г , Δ), • P is a finite set of control states • Г is the stack alphabet • Δ ⊆ (P× Г) × (P×Г*) is a finite set of transitions • A configuration is a pair <p,ω> ∈ × Г * P • If <p, α> → <p’,ω> ∈ Δ, then, for every u ∈ Г*, <p, αu> => <p’,ωu>

  13. From Binary Codes to PDSs

  14. Difficulty: mov eax, 1 0 is pushed dec eax It’s non-trival to get onto the stack push eax registers’ values call GetModuleHandleA

  15. Computing Registers’ Values We need an oracle that computes the values of the registers mov eax, 1 eax’s value dec eax is 0 push eax call GetModuleHandleA We use Jakstab [Kinder-Veith 2008] to implement the oracle Jakstab (Java Toolkit for static analysis of binaries) does a kind of constant propagation to determine registers’ values

  16. From Binary Codes to PDSs l 1 : mov eax, 1 l 2 : dec eax g 0 = entry point of l 3 : push eax GetModuleHandeA l 4 : call GetModuleHandleA l 5 : ... Control states of PDS = control points of program Stack alphabet = return addresses+ registers’ values l 1 l 2 Push 0 Push l 5 l 3

  17. Malicious behaviors? Binary code ╞ Malicious behavior ? Specification PDS formalism?

  18. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA mov eax, 0 with 0 as parameter. push eax This returns the entry address of its call GetModuleHandleA own executable. Copy itself to other locations.

  19. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA mov eax, 0 with 0 as parameter. push eax This returns the entry address of its call GetModuleHandleA own executable. Copy itself to other locations. How to describe this specification?

  20. Specification of malicious behaviors? Example: fragment of email worm Avron EX p mov eax, 0 p push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0) ˄ EX ( push(eax) ˄ EX call GetModuleHandleA ) EX p : there is a path where p holds at the next state

  21. Specification of malicious behaviors? Example: fragment of email worm Avron EX p mov eax, 0 p push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0) ˄ EX ( push(eax) ˄ EX call GetModuleHandleA ) ˅ mov(ebx,0) ˄ EX ( push(ebx) ˄ EX call GetModuleHandleA ) ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX call GetModuleHandleA ) ˅ ….. all the other registers EX p : there is a path where p holds at the next state

  22. Specification of malicious behaviors? Example: fragment of email worm Avron EX p mov eax, 0 p push eax call GetModuleHandleA Huge! In CTL (Branching-time temporal logic) : mov(eax,0) ˄ EX ( push(eax) ˄ EX call GetModuleHandleA ) ˅ mov(ebx,0) ˄ EX ( push(ebx) ˄ EX call GetModuleHandleA ) ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX call GetModuleHandleA ) ˅ ….. all the other registers EX p : there is a path where p holds at the next state

  23. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 CTPL = CTL + ∃ , ∀ push eax variables + call GetModuleHandleA In CTL: mov(eax,0) ˄ EX ( push(eax) ˄ EX callGetModuleHandleA ) ˅ mov(ebx,0) ˄ EX ( push(ebx) ˄ EX callGetModuleHandleA ) ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX callGetModuleHandleA ) ˅ ….. all the other registers In CTPL: ᴲ ( mov(r,0) ˄ EX ( push(r) ˄ EX call GetModuleHandleA ) ) r

  24. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 CTPL = CTL + ∃ , ∀ push eax variables + call GetModuleHandleA In CTL: CTPL cannot describe the stack: mov(eax,0) ˄ EX ( push(eax) ˄ EX callGetModuleHandleA ) ˅ needed for malicious behaviors mov(ebx,0) ˄ EX ( push(ebx) ˄ EX callGetModuleHandleA ) description ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX callGetModuleHandleA ) ˅ ….. all the other registers In CTPL: ᴲ ( mov(r,0) ˄ EX ( push(r) ˄ EX call GetModuleHandleA ) ) r

  25. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA mov eax, 0 with 0 as parameter. push eax This returns the entry address of its call GetModuleHandleA own executable. Copy itself to other locations. In CTPL: ᴲ ( mov(r,0) ˄ EX ( push(r) ˄ EX call GetModuleHandleA ) ) r

  26. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA mov eax, 0 with 0 as parameter. push ebx This returns the entry address of its pop ebx own executable. push eax Copy itself to other locations. call GetModuleHandleA In CTPL: ᴲ ( mov(r,0) ˄ EX ( push(r) ˄ EX call GetModuleHandleA ) ) the head of r stack is 0 Our solution: Consider predicates over the stack In SCTPL: EF ( call GetModuleHandleA ˄ 0 Г* ) EF p : there is a path where p holds in the future

  27. SCTPL Logic  ::= b |¬  |  ∧  | EX  | E [  U  ] | EG 

  28. SCTPL Logic  ::= b(y 1 ,…,y n ) |¬  |  ∧  | EX  | E [  U  ] | EG  • y ∈ Y , a set of variables over a finite domain D

  29. SCTPL Logic  ::= b(y 1 ,…,y n ) |¬  |  ∧  | EX  | E [  U  ] | EG  |  y  • y ∈ Y , a set of variables over a finite domain D

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/

What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/

What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/ Middlesex University With thanks to David Clark 2011/4/6 L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 1 / 21 Overview

1.3k views • 53 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert Brandon 1 November 2017 2 Malware Detection? Dont AVs do that? Single incidents of malware are now causing millions in damages. Potential

347 views • 19 slides
SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj

SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj

SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj Giovanni Vigna B.S Manjunath Ezeanaka Kingsley CISC850 Cyber Analytics CISC850 Cyber Analytics Abstract Sigmal as a malware detection framework -

454 views • 17 slides
D&amp;D of malware with exotic C&amp;C D&amp;D = Description &amp; Detection C&amp;C = Command

D&amp;D of malware with exotic C&amp;C D&amp;D = Description &amp; Detection C&amp;C = Command

D&amp;D of malware with exotic C&amp;C D&amp;D = Description &amp; Detection C&amp;C = Command &amp; Control Automotive Consumer Energy &amp; Chemicals Paul Rascagneres - @r00tbsd Eric Leblond - @Regiteric D&amp;D of malware with exotic C&amp;C

781 views • 34 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS &amp; Univ. Paris 13

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS &amp; Univ. Paris 13

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS &amp; Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of

1.04k views • 52 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir

Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir

Introduction Mining specifications Detecting malware Results References Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir Touili 2 1 INRIA Rocqencourt 2 LIAFA Univ. Paris 7 November 4, 2013

870 views • 45 slides
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales Shouhuai Xu Ravi Sandhu SEI @ CMU CS @ UTSA ICS @ UTSA Roadmap Motivation Experimental Methodology Experimental Results Summary

560 views • 16 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng,

Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng,

Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng, Feng Li, Xukai Zou, and Jie Wu 1 / 47 Proximity malware Definition. Proximity malware is a malicious program which propagates

618 views • 47 slides
Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris Andrianakis, Kun Sun, and Angelos Stavrou Intro Increase of stealthy malware in enterprises Obfuscation, polymorphic techniques Often uses

766 views • 25 slides
Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

648 views • 34 slides
Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I.

Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I.

Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I. Al-Saleh and Jedidiah R. Crandall Server Reconnaissance OS &amp; Services ports Client Server Client Reconnaissance Hmmm, what can I get about

705 views • 27 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 5 Viruses &amp; Worms, Botnets, Todays Threats Viruses &amp; Worms Viruses Program

693 views • 31 slides
Cryptography and Network Security Chapter 21 What is the concept of defense: The parrying of a

Cryptography and Network Security Chapter 21 What is the concept of defense: The parrying of a

4/19/2010 Chapter 21 Malicious Software Cryptography and Network Security Chapter 21 What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow Awaiting the blow. Fifth Edition On War,

352 views • 6 slides
What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

506 views • 21 slides
AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

Table of Contents AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot) Architecture Paul Barford and Vinod Yagneswaran Remote Control Mechanisms Host Control Propagation Exploits and

158 views • 4 slides
CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7, 2017 Signature-based Anti-Virus Systems By far, the most popular weapon against cyber attacks is signature-based antivirus software. When

709 views • 12 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides

More recommend