run time classification of malicious processes using
play

Run-time Classification of Malicious Processes Using System Call - PowerPoint PPT Presentation

Jan 26, 2023 •357 likes •594 views

Run-time Classification of Malicious Processes Using System Call Analysis Ray Canzanese Spiros Mancoridis Moshe Kam Dept. of Electrical and Computer Engineering Newark College of Engineering College of Computing and Informatics Drexel

  1. Run-time Classification of Malicious Processes Using System Call Analysis Ray Canzanese Spiros Mancoridis Moshe Kam Dept. of Electrical and Computer Engineering Newark College of Engineering College of Computing and Informatics Drexel University New Jersey Institute of Technology Drexel University rcanzanese@gmail.com kam@njit.edu mancors@drexel.edu Malcon 2015 20-23 October Fajardo, Puerto Rico

  2. Acknowledgments The KEYSPOT Network People’s Emergency Center Dornsife Center for Neighborhood Partnerships The City of Philadelphia Mayor’s Commission on Literacy The City of Philadelphia Office of Innovation and Technology (OIT) The City of Philadelphia Department of Parks and Recreation (PPR) Secure and Trustworthy Cyberspace (SaTC) award from the National Science Foundation (NSF) – grant CNS-1228847 The Isaac L. Auerbach endowed chair for Spiros Mancoridis

  3. Setting Malware classification results are useful for generating ◮ Mitigation procedures ◮ Remediation procedures ◮ Detection signatures Classification using sandbox environments is resource-intensive Malware authors generate variant floods to overwhelm analysts Analysts struggle to keep up with influx of new samples We seek a classification system that Leverages endpoint monitoring Provides immediate classification results

  4. Previous work Related work Use static and dynamic analysis to classify malware samples 1 2 Use sandbox environments for off-line analysis Leverage various datasets ◮ Program structure, resources ◮ File, registry, network, system call activity Our approach Uses dynamic analysis (system call sequences) Focuses on on-line analysis ◮ Uses endpoint monitoring for feature extraction ◮ Does not require specialized sandbox environments ◮ Can provide immediate classification results 1Neugschwandtner, “Forecast: skimming off the malware cream,” 2011. 2Anderson, “Improving malware classification: bridging the static/dynamic gap,” 2012.

  5. Hypothesis Classify malware by Monitoring system call activity on endpoints Extracting a concise feature representation of the traces Comparing observed patterns to those of known malware Advantages Monitoring and extraction are low-overhead Classification results can be obtained at run-time Can be easily paired with static analysis techniques Availablility of results facilitates analysis

  6. Impact and broader contributions Feature extraction and classification algorithm comparison ◮ 3 feature extraction strategies ◮ 6 machine learning algorithms ◮ Analysis of trace length and n -gram length Ground truth labeling system comparison ◮ 27 naming schemes derived from AV labels ◮ Category and family naming schemes Design of a run-time classification system ◮ Algorithms and parameters based on experimental evaluation ◮ Evaluated against 76 , 000 distinct malware samples ◮ Enables more rapid response to newly disovered malware treats

  7. System call analysis Inferring a process’s function from its system call trace 3 System call Mechanism for requesting operating system (OS) services System call categories Atoms (strings) Miscellaneous Boot configuration Object management Debugging Plug and play Device driver control Power management Environment settings Processes and threads Error handling Processor information Files and general input/output Registry access Jobs Security functions Local procedure calls (LPC) Synchronization Memory management Timers 3Forrest, “A sense of self for UNIX processes,” 1996.

  8. System Call Service (SCS) Data collection host-agent 4 Designed for Windows 7, 8, Server 2008, and Server 2012 (32 and 64 bit) Collects process-level system call traces from all processes Applications Services System Call Service (SCS) Windows API User Mode Kernel Mode System call interface Device drivers OS kernel ETW 4SCS source code available: https://github.com/rcanzanese/SystemCallService

  9. Information retrieval Bag-of-system-call- n -grams representation 5 Raw system call trace: NtQueryPerformanceCounter NtProtectVirtualMemory NtProtectVirtualMemory NtQueryInformationProcess NtProtectVirtualMemory NtQueryInformationProcess Representation: system call 2 -gram bag count NtQueryPerformanceCounter, NtProtectVirtualMemory 1 NtProtectVirtualMemory, NtProtectVirtualMemory 1 NtProtectVirtualMemory, NtQueryInformationProcess 2 NtQueryInformationProcess, NtProtectVirtualMemory 1 5Kang, “Learning classifiers for misuse and anomaly detection using a bag of system calls representation,” 2005.

  10. Feature scaling Term frequency – inverse document frequency (TF-IDF) transformation 6 ◮ De-emphasize commonly occurring n -grams Singular value decomposition (SVD) 7 ◮ Reduce the dimensionality of the data ◮ Eliminate redundancy Linear discriminant analysis (LDA) 8 ◮ Reduce the dimensionality of the data ◮ Separate instances of differing classes 6Liao, “Using text categorization techniques for intrusion detection,” 2002. 7Manning, Introduction to Information Retrieval , 2008. 8Bishop, Pattern Recognition and Machine Learning , 2006.

  11. Classification Multi-class logistic regression (LR) 9 ◮ One-versus-all approach using stochastic gradient descent (SGD) ◮ Assume linearly separable classes Naive Bayes 10 ◮ Estimate priors from data ◮ Assume conditional independence Random Forests 11 ◮ Realize non-linear decision surfaces ◮ High training complexity Nearest neighbor 12 ◮ Realize non-linear decision surfaces ◮ High model & classification complexity Nearest centroid 13 ◮ Assume equal variance and class convexity 9Genkin, “Large-scale Bayesian logistic regression for text categorization,” 2007. 10VanTrees, Detection, Estimation, and Modulation Theory , 2001. 11Breiman, “Random forests,” 2001. 12Bishop, Pattern Recognition and Machine Learning , 2006. 13Han, “Centroid-based document classification: analysis and experimental results,” 2000.

  12. Evaluation FN C k false negatives TP C k true positives FP C k false positives TP C k Precision C k = TP C k + FP C k TP C k Recall C k = TP C k + FN C k F 1 , C k = 2 · Precision C k · Recall C k Precision C k + Recall C k

  13. Ground truth label comparison vendor type classes F 1 AntiVir category 17 0.79 Microsoft category 20 0.75 DrWeb category 12 0.75 Microsoft family 315 0.71 Vipre category 47 0.71 ESETNOD32 family 301 0.68 Panda category 19 0.68 Avast category 12 0.66 K7AntiVirus category 16 0.65 DrWeb family 241 0.59 ... ... ... ... McAfee family 125 0.53 Panda family 111 0.53 Ikarus family 442 0.5 Kaspersky family 290 0.49 FSecure family 175 0.48 Emsisoft category 73 0.48 Avast family 220 0.47 TrendMicro family 227 0.46 GData family 261 0.43 Emsisoft family 293 0.43

  14. Classifier and feature extraction strategy comparison detector feature extraction F 1 LR TF-IDF 0.70 nearest neighbor TF-IDF, SVD 0.67 nearest neighbor TF-IDF, SVD, LDA 0.67 random forests TF-IDF, SVD 0.67 random forests TF-IDF, SVD, LDA 0.67 LR TF-IDF, SVD, LDA 0.56 LR TF-IDF, SVD 0.53 Gaussian na¨ ıve Bayes TF-IDF, SVD, LDA 0.50 nearest centroid TF-IDF, SVD, LDA 0.42 Gaussian na¨ ıve Bayes TF-IDF, SVD 0.39 multinomial na¨ ıve Bayes TF-IDF 0.33 nearest centroid TF-IDF, SVD 0.19 Other advantages of LR: Low classification complexity Model can easily be updated when new training instances are added

  15. Classification accuracy vs. n -gram length Fixed trace length, l = 1500 0 . 85 0 . 80 weighted F 1 score 0 . 75 0 . 70 0 . 65 Microsoft-family 0 . 60 Microsoft-category AntiVir-category 0 . 55 ESETNOD32-family 0 . 50 1 2 3 4 5 n -gram length

  16. Classification accuracy vs. trace length Fixed n -gram length, n = 3 0 . 8 0 . 7 weighted F 1 score 0 . 6 0 . 5 Microsoft-family Microsoft-category 0 . 4 AntiVir-category ESETNOD32-family 0 . 3 250 500 750 1000 1250 1500 1750 2000 trace length

  17. Categorical confusion matrix classifier output TrojanDownloader SoftwareBundler MonitoringTool TrojanDropper TrojanClicker TrojanProxy TrojanSpy Backdoor HackTool Spammer Ransom Exploit VirTool Trojan Rogue DDoS Dialer Worm Virus PWS Backdoor 0 . 9 DDoS Dialer 0 . 8 Exploit HackTool 0 . 7 MonitoringTool PWS 0 . 6 Ransom ground truth Rogue 0 . 5 SoftwareBundler Spammer 0 . 4 Trojan TrojanClicker TrojanDownloader 0 . 3 TrojanDropper TrojanProxy 0 . 2 TrojanSpy VirTool 0 . 1 Virus Worm 0 . 0

  18. Malware family reults Microsoft MMPC labels Highest classification accuracy Lowest classification accuracy Narrowly defined families Broadly defined families Trojan.Mydoom Trojan.Meredrop Trojan.Recal Trojan.Gandlo!gmb Trojan.Jeefo Trojan.Ircbrute!gmb Worm.Klez Trojan.Sisron!gmb Virus.Elkern VirTool.Vtub

  19. System block diagram Shows classifier integrated with a system call-based detection system Feature Extractor Information retrieval Ordered 3-grams Processes System call traces Feature selection NtQueryPerformanceCounter System Call NtProtectVirtualMemory 4,000 feature selected using RFE Service NtProtectVirtualMemory NtQueryInformationProcess NtProtectVirtualMemory ... Feature scaling Frequency vs. log frequency IDF transformation L2 norm Classifier Detector feature vectors Logistic Regression Logistic Regression Microsoft or ESET labels Page's CUSUM test Binary decisions Suspected malware family (`malicious' or `benign')

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Classification Classification TNM classification Survival time Survival time Tumour size,

Classification Classification TNM classification Survival time Survival time Tumour size,

2003 I. Jurisica November 13, 2003 Classification Classification TNM classification Survival time Survival time Tumour size, location Lymph Node involvement Metastasis 1A -> T1, N0, M0 Integrated Computational Analysis Integrated

80 views • 7 slides
BAYES AT 10+GBPS: IDENTIFYING MALICIOUS AND VULNERABLE PROCESSES FROM PASSIVE TRAFFIC

BAYES AT 10+GBPS: IDENTIFYING MALICIOUS AND VULNERABLE PROCESSES FROM PASSIVE TRAFFIC

BAYES AT 10+GBPS: IDENTIFYING MALICIOUS AND VULNERABLE PROCESSES FROM PASSIVE TRAFFIC FINGERPRINTING DAVID McGREW, PhD CISCO FELLOW mcgrew@cisco.com FLOCON 2020 PEOPLE David McGrew Blake Anderson Brandon Enright Adam Weller Lucas

561 views • 23 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
1 Classification of Shape Process Selection Some processes can make only simple shapes, others,

1 Classification of Shape Process Selection Some processes can make only simple shapes, others,

Process Selection Manufacturing processes Processes and their attributes The text book classified manufacturing processes into three broad categories The selection strategy Shaping Screening by attributes Joining

433 views • 7 slides
Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of)

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of)

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of) malicious activities without having to read logs Logs are boring, reading them takes a lot of time Graphic visualisation is more effective, fast

855 views • 30 slides
Gaussian Processes Covariance Functions and Classification Carl Edward Rasmussen Max Planck

Gaussian Processes Covariance Functions and Classification Carl Edward Rasmussen Max Planck

Gaussian Processes Covariance Functions and Classification Carl Edward Rasmussen Max Planck Institute for Biological Cybernetics T ubingen, Germany Gaussian Processes in Practice, Bletchley Park, July 12th, 2006 Carl Edward Rasmussen

696 views • 30 slides
If processes are fundamental, what does this tell us about the nature of time? Antony Galton

If processes are fundamental, what does this tell us about the nature of time? Antony Galton

If processes are fundamental, what does this tell us about the nature of time? Antony Galton Department of Computer Science University of Exeter, UK Process Biology Conference London, UK March 21st23rd 2018 I will not argue that processes

675 views • 44 slides
Dynamic Time Warping Averaging of Time Series allows Faster and more Accurate Classification F.

Dynamic Time Warping Averaging of Time Series allows Faster and more Accurate Classification F.

Dynamic Time Warping Averaging of Time Series allows Faster and more Accurate Classification F. Petitjean G. Forestier G.I. Webb A.E. Nicholson Y. Chen E. Keogh Compute average The Ubiquity of Time Series Sensors on machines Stock prices Wearables

638 views • 30 slides
Natural Language Processing Classification Classification II Dan Klein UC Berkeley Linear

Natural Language Processing Classification Classification II Dan Klein UC Berkeley Linear

Natural Language Processing Classification Classification II Dan Klein UC Berkeley Linear Models: Perceptron Issues with Perceptrons The perceptron algorithm Overtraining: test / held out accuracy Iteratively processes the

259 views • 12 slides
Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples

Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples

Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples Countermeasures against DoS Crypto Puzzles Stateless Protocols Avoid IP address spoofing / identifying malicious nodes Ingress filtering

937 views • 72 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
Natural Language Processing Classification III Dan Klein UC Berkeley 1 Classification 2

Natural Language Processing Classification III Dan Klein UC Berkeley 1 Classification 2

Natural Language Processing Classification III Dan Klein UC Berkeley 1 Classification 2 Linear Models: Perceptron The perceptron algorithm Iteratively processes the training set, reacting to training errors Can be thought of as

599 views • 41 slides
Library of Congress Classification: 5.2 1 Library of Congress Classification: 5.2 In the

Library of Congress Classification: 5.2 1 Library of Congress Classification: 5.2 In the

Library of Congress Classification: 5.2 1 Library of Congress Classification: 5.2 In the previous module we discussed classification numbers whose captions consist of date spans. Those date spans sometimes refer to the time period covered in the

530 views • 18 slides
Distribution service classification: processes and principles Public Forum on Contestability of

Distribution service classification: processes and principles Public Forum on Contestability of

Distribution service classification: processes and principles Public Forum on Contestability of Energy Services: 25 January 2017 MEHNAZ YOOSUF ADVISER AUSTRALIAN ENERGY MARKET COMMISSION AEMC PAGE 1 Focus AEC focus COAG focus Regulation

352 views • 16 slides
Predicting data o v er time MAC H IN E L E AR N IN G FOR TIME SE R IE S DATA IN P YTH ON

Predicting data o v er time MAC H IN E L E AR N IN G FOR TIME SE R IE S DATA IN P YTH ON

Predicting data o v er time MAC H IN E L E AR N IN G FOR TIME SE R IE S DATA IN P YTH ON Chris Holdgraf Fello w, Berkele y Instit u te for Data Science Classification v s . Regression CLASSIFICATION REGRESSION

630 views • 39 slides
The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel Asynchrony Processes Protection Kernel The software component that controls the hardware directly and implements the core privileged OS

934 views • 62 slides
A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process with Smart Cards Roberto BARBERA (1)(2) , Vincenzo CIASCHINI (3) , Alberto FALZONE (4) , Giuseppe LA ROCCA (1)

456 views • 32 slides
1. Introduction to a new Type of Matching 2. The polynomials U ,k,n ( x ) 3. Background and

1. Introduction to a new Type of Matching 2. The polynomials U ,k,n ( x ) 3. Background and

1. Introduction to a new Type of Matching 2. The polynomials U ,k,n ( x ) 3. Background and Previous Results 4. Extreme Coefficients 5. 2 Closed Forms from Recursions 6. Q-Analogues 7. Q-statistic 8. Unanswered Questions Notion of a

464 views • 31 slides
r r

r r

r r ss s sr rtt tr

1.21k views • 96 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
Introduction to OSs What is an Operating System? Architectural Support for Operating

Introduction to OSs What is an Operating System? Architectural Support for Operating

CPSC-410 Operating Systems Introduction Introduction to OSs What is an Operating System? Architectural Support for Operating Systems Basic Organization of an Operating System Reading: Silberschatz (7 th ed), Chapters 1, 2

873 views • 19 slides
Virtual File System Don Porter CSE 506 Logical Diagram Binary Memory Threads Formats

Virtual File System Don Porter CSE 506 Logical Diagram Binary Memory Threads Formats

Virtual File System Don Porter CSE 506 Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture System Calls Kernel RCU File System Networking Sync Memory CPU Device Management Scheduler Drivers Hardware

413 views • 39 slides
anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an executable 2 anti-virus techniques last time: signature-based detection regular expression-like matching snippets of virus(-like) code heuristic

1.79k views • 139 slides

More recommend