session 5 information security northeastern university
play

Session 5: Information Security Northeastern University - PowerPoint PPT Presentation

Jul 18, 2023 •19 likes •669 views

Session 5: Information Security Northeastern University International Secure Systems Lab A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz mkharraz@ccs.neu.edu Disclosure: This research was funded by National Science

  1. Session 5: Information Security

  2. Northeastern University International Secure Systems Lab A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz mkharraz@ccs.neu.edu Disclosure: This research was funded by National Science Foundation and Secure Business Austria

  3. Infecting Victim’s Machine Attachments Drive-by Downloads Malicious binaries

  4. Macro Viruses: An Innocent Looking Word File

  5. By opening the file you might get infected

  6. What is a ransomware attack? 1 Paying the ransom fee Paying the ransom fee Receiving the decryption key 2

  9. Achilles’ Heel of Ransomware • Ransomware has to inform victim that attack has taken place • Ransomware has certain behaviors that are predictable – e.g., entropy changes, modal dialogs and background activity, accessing user files • A good sandbox that looks for some of these signs helps here…

  10. Content Generator User I/O MANAGER Kernel UNVEIL

  11. User I/O MANAGER Kernel UNVEIL

  12. Iteration over files during a CryptoWall attack

  13. Evaluation UNVEIL with unknown samples ~ 1200 malware samples per day 56 UNVEIL-enabled . . . VMs on 8 Servers Ganeti Cluster

  14. Evaluation UNVEIL with unknown samples ● The incoming samples were acquired from the daily malware feed provided by Anubis from March 18 to February 12, 2016. ● The dataset contained 148,223 distinct samples.

  15. Cross-checking with VirusTotal ● The results are concentrated either towards small or very large detection ratios. ● A sample is either detected by a relatively small number, or almost all of the scanners.

  16. Deployment Scenario (Malware Research) Sandbox . . . Malware Dataset Malware Analyst

  17. Deployment Scenario (End-point Solution) ● Running UNVEIL as an augmented service ● UNVEIL supports legacy platforms ● Incurs modest overhead, averaging 2.6% for realistic work loads

  18. Conclusion • Ransomware is a challenging problem – But it has predictable behaviors compared to other malware • UNVEIL introduces concrete models to detect those behaviors – We’ve shown that our detection model is useful in practice • There is definitely room for improvement – We can extend our dynamic systems with functionality tuned towards detecting ransomware

  19. Thank You

  20. INVESTIGATING COMMERCIAL PAY-PER-INSTALL Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-André Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panos Mavrommatis, Niels Provos, Elie Bursztein, Damon McCoy This research was funded by the National Science Foundation and Gifts from Google

  21. Unwanted software Millions of users with symptoms of unwanted software. How was it installed?

  22. Commercial pay-per-install Practice of bundling several additional applications.

  23. Deceptive promotions Users deceived into unintentionally installing unrelated software.

  24. Our work Year-long investigation into the marketplace of bundling: Relationships with unwanted software Deceptive promotional tools Negative impact on users Get the community on board to tackle unwanted software

  25. 1 BEHIND THE SCENES

  26. Pay-per-install affiliate model Advertisers: software developers willing to buy installs.

  27. Pay-per-install affiliate model $$$ Advertisers PPI Network PPI affiliate network: middle-man that create download manager.

  28. Pay-per-install affiliate model Advertisers $$$ $$ PPI Network Publishers Publishers: popular software developers or websites that distribute bundles for a fee.

  29. Pay-per-install affiliate model Advertisers $$$ $$ PPI Network Publishers Decentralized distribution can lend itself to abuse.

  30. 2 MONITORING PPI NETWORKS

  31. Upon launching a PPI bundle... Fingerprint C&C domain system & request offers Report successful installs Optional splash screen post- install

  32. Analysis pipeline

  33. Dataset PPI Network Milking Period Offers Unique Outbrowse Jan 8, 2015 -- Jan, 7, 2016 107,595 584 Amonetize Jan 8, 2015 -- Jan, 7, 2016 231,327 356 InstallMonetizer Jan 11, 2015 -- Jan, 7, 2016 30,349 137 OpenCandy Jan 9, 2015 -- Jan, 7, 2016 77,581 134 Total Jan 8, 2015 -- Jan, 7, 2016 446,852 1,211

  34. 3 ANALYSIS

  35. Most frequent advertisers Brand PPI Networks Days Active Wajam 4 365 Ad Vopackage 3 365 Injectors Youtube Dwnldr 3 365 Eorezo 2 365 Browsefox 4 363 Browser Conduit 3 327 Settings CouponMarvel 1 300 Hijackers Smartbar 3 294 Speedchecker 2 365 Cleanup Uniblue 4 327 OptimizerPro 4 302 Utilities Systweak 3 249

  36. VirusTotal labels 59% of weekly offers flagged by at least 1 AV

  37. Anti-virus detection Advertiser-specified installation criteria avoids hostile AV: (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\Avast')!=0) (g_ami.CheckRegKey(g_hkcu, 'SOFTWARE\\\\Avast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'Software\\\\AVAST Software')!=0) (g_ami.CheckRegKey(g_hkcu, 'Software\\\\AVAST Software')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\Avira')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\Classes\\\\avast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\ESET')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'AppEvents\\\\Schemes\\\\Apps\\\\Avast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SYSTEM\\\\CurrentControlSet\\\\Services\\\\avast! Antivirus ')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Avast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\{C1856559-BA5C-41B7-961C-677E89A2C490}')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\{0D40F91C-41DE-4E06-8B14-ABCCF7A51495}')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\{8B261394-6C7D-4CFC-A767-E02F34A60D8B}')!=0) HKEY_LOCAL_MACHINE SOFTWARE\\\\OpenVPN HKEY_LOCAL_MACHINE SOFTWARE\\\\VMware,*Inc. HKEY_LOCAL_MACHINE SOFTWARE\\\\Oracle\\\\VirtualBox| 20% of advertisers use some AV/VM detection

  38. Price per install Price ranges $0.10–$1.50

  39. 4 USER IMPACT

  40. Unwanted software warnings

  41. Weekly user warnings 60M warnings every week

  42. 5 DECEPTIVE DISTRIBUTION

  43. Promotional tools

  44. Domain cycling Distribution sites cycle every 1-7 hours

  45. Safe Browsing evasion

  46. Takeaways Unwanted software massive commercial ecosystem: Tens of millions of users affected Pay-per-install primary distribution vector Misaligned incentives for advertisers, publishers

  47. Killed by Proxy: Analyzing Client-end TLS Interception Software Xavier de Carné de Carnavalet and Mohammad Mannan Concordia University, Canada Funding support: Vanier CGS, NSERC, and OPC Original publication: NDSS 2016

  48. HTTPS usage • Secures client-server connection • > half the websites now support HTTPS

  49. Antivirus vs. HTTPS • Both help secure your data/online experience Browser Antivirus Website • AVs also want to guard against web malware • But malware may come via HTTPS

  50. Client-end TLS interception 1. Ad-related products (SuperFish/PrivDog/Komodia) • inject/replace ads 2. Antivirus products • eliminate drive-by downloads, malicious scripts 3. Parental control applications • block access to unwanted websites, hide swear words

  51. Wanted vs. unwanted interception • Unwanted adware can/should be removed • But AVs and parental control apps are – “wanted” – “strongly recommended” or “required”

  52. Our targets • 14 security products in Windows – March and August 2015 • All but one significantly downgrade TLS security

  53. Implications • Attacker must be an active Man-in-the-Middle – Anywhere between a user and website – Target all users of a product vs. selective users – No admin privilege is needed • Can impersonate a server • Can extract secrets e.g., authentication cookies • Design flaws – not software bugs

  55. Our test framework Hybrid test framework: adapt existing + custom tests 1. Private key protection 2. Certificate validation 3. Cipher suites & protocols 4. Transparency

  56. Root certificate and private key • Pre-generated certificates (2/14) • Proxies accept own certificates (12*/12) • User-readable private keys (9/14) • Root cert. not removed after uninstallation (8/14) • Certificates are valid, on average, for 10 years

  57. Site certificate validation • No validation (3/12) • Improper signature verification (1/12) • Accept weak primitives: MD5 (9/12), RSA 512 (7/12) • No revocation check (9/12) • Custom CA store (3/12): DigiNotar+CNNIC; Mozilla Trusted CAs from 2009; One RSA 512 root CA

  58. Protocol, cipher suites and attacks • SSL 3.0 support (6/12), no support for TLS 1.1+ (6/12) • Weak cipher suites: RC4 and MD5 (10/12) • Proxies vulnerable to known attacks: Insecure Renegotiation (1), BEAST (7), CRIME (1), FREAK (5), Logjam (3)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Alexandru Suciu Northeastern University Session on the Geometry and Topology of Differentiable

Alexandru Suciu Northeastern University Session on the Geometry and Topology of Differentiable

T OPOLOGY OF COMPLEX ARRANGEMENTS Alexandru Suciu Northeastern University Session on the Geometry and Topology of Differentiable Manifolds and Algebraic Varieties The Eighth Congress of Romanian Mathematicians Ia si, Romania, June 30, 2015

510 views • 23 slides
Network Security: Public Key Infrastructure Guevara Noubir Northeastern University

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University noubir@ccs.neu.edu CSG254: Network Security Slides adapted from Radia Perlmans slides Key Distribution - Secret Keys What if there are millions of users

706 views • 41 slides
Network Security: Public Key Infrastructure Guevara Noubir Northeastern University

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University noubir@ccs.neu.edu Network Security Slides adapted from Radia Perlmans slides Key Distribution - Secret Keys What if there are millions of users and

624 views • 14 slides
Email Security Guevara Noubir Network Security Northeastern

Email Security Guevara Noubir Network Security Northeastern

Email Security Guevara Noubir Network Security Northeastern University Email Security 1 Email One of the most widely used applica>ons of the

360 views • 14 slides
Alex Suciu Northeastern University Special Session Advances in Arrangement Theory Mathematical

Alex Suciu Northeastern University Special Session Advances in Arrangement Theory Mathematical

A RRANGEMENT COMPLEMENTS AND M ILNOR FIBRATIONS Alex Suciu Northeastern University Special Session Advances in Arrangement Theory Mathematical Congress of the Americas Montral, Canada July 25, 2017 A LEX S UCIU (N ORTHEASTERN ) A RRANGEMENT

593 views • 17 slides
Basic Tools & Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu Counter

Basic Tools & Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu Counter

Practical Network Security: Basic Tools & Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu Counter Hack Reloaded, Ed Skoudis, 2005, Prentice-Hall. Threats to Communication Networks Security was an add-on to many network

456 views • 10 slides
Practical Network Security: Basic Tools & Techniques Guevara Noubir Northeastern University

Practical Network Security: Basic Tools & Techniques Guevara Noubir Northeastern University

Practical Network Security: Basic Tools & Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu G. Noubir Tools 1 1 Lesson Outcomes: you need to be able to Describe and discuss the various security threats to

1.04k views • 39 slides
Wireless and Mobile Security -- an introduction Guevara Noubir Northeastern University

Wireless and Mobile Security -- an introduction Guevara Noubir Northeastern University

Wireless and Mobile Security -- an introduction Guevara Noubir Northeastern University noubir@ccs.neu.edu Outline Introduction to the topics Structure of lectures Logistics G. Noubir 2 Wireless Communications Key technology

222 views • 10 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Northeastern University 815 Columbus Avenue Northeastern EXP is a nine-story, 350,000-square-foot

Northeastern University 815 Columbus Avenue Northeastern EXP is a nine-story, 350,000-square-foot

Boston Employment Commission Presentation September 16, 2020 Northeastern University 815 Columbus Avenue Northeastern EXP is a nine-story, 350,000-square-foot research center on Columbus Avenue. This preliminary rendering shows a facility that

776 views • 16 slides
1 Terminology Security services: Authentication, confidentiality, integrity,

1 Terminology Security services: Authentication, confidentiality, integrity,

Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir Northeastern University noubir@ccs.neu.edu Network Security: Private Communication in a Public World [Chap. 2-8] Charles Kaufman, Mike Speciner, Radia

454 views • 20 slides
Information Security Collaboration Tom Dugas, Director of Information Security @ Duquesne

Information Security Collaboration Tom Dugas, Director of Information Security @ Duquesne

Information Security Collaboration Tom Dugas, Director of Information Security @ Duquesne University Maureen Bertocci, Director of Information Security @ Robert Morris University What is C-CUE C-CUE is a Western-PA regional association of

433 views • 11 slides
INFORMATION SECURITY A DAY IN THE LIFE WHO AM I? Security officer for MIE CISSP , CISA,

INFORMATION SECURITY A DAY IN THE LIFE WHO AM I? Security officer for MIE CISSP , CISA,

INFORMATION SECURITY A DAY IN THE LIFE WHO AM I? Security officer for MIE CISSP , CISA, CGEIT, CRISC, CRMA, PMP , FLMI and studying for CISM RMR and JA Interactive session share stories THREAT SOURCES Nation States

491 views • 26 slides
Reinforcement Learning Rob Platt Northeastern University Some images and slides are used from:

Reinforcement Learning Rob Platt Northeastern University Some images and slides are used from:

Reinforcement Learning Rob Platt Northeastern University Some images and slides are used from: AIMA CS188 UC Berkeley Reinforcement Learning (RL) Previous session discussed sequential decision making problems where the transition model and

609 views • 58 slides
Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems Lab 3 Review on CSRF & Path Traversal Hacker Wall of Fame (Lab 3 members in italics) Jacob Buckheit (2x) Jenny Zhu Ti ff any Chen

238 views • 13 slides
Lunch & Learn May 19, 2016 Northeastern University AGENDA Staffing Update Internal

Lunch & Learn May 19, 2016 Northeastern University AGENDA Staffing Update Internal

Northeastern University Research Administration Lunch & Learn May 19, 2016 Northeastern University AGENDA Staffing Update Internal Deadline Reminder CITI Clarification Award Budget Obligation Template Funding Agency Updates Forms

182 views • 14 slides
Noise in neural populations limits working memory by Bays (2015) By Richard Thripp EXP 6506

Noise in neural populations limits working memory by Bays (2015) By Richard Thripp EXP 6506

A Review of Spikes not slots: Noise in neural populations limits working memory by Bays (2015) By Richard Thripp EXP 6506 University of Central Florida September 10, 2015 This is an opinion article. The author cites sources to create

714 views • 50 slides
Indonesia September 2009 Website Release Disclaimer & Forward Looking Statements

Indonesia September 2009 Website Release Disclaimer & Forward Looking Statements

The Malala Molybdenum Project Indonesia September 2009 Website Release Disclaimer & Forward Looking Statements Forward-Looking Statements This presentation may contain forward-looking statements that are subject to risks, uncertainties and

663 views • 31 slides
The Cheltenham CCTV Scheme 1. History The Cheltenham Borough Council CCTV Scheme commenced in

The Cheltenham CCTV Scheme 1. History The Cheltenham Borough Council CCTV Scheme commenced in

The Cheltenham CCTV Scheme 1. History The Cheltenham Borough Council CCTV Scheme commenced in 1994 when 5 cameras were installed at key locations within the town centre, the scheme has since grown considerably to a current level of 60. All of

200 views • 3 slides
Session 4: Time-Space Compression and its Correlates Speed-Space in the Global Village: A

Session 4: Time-Space Compression and its Correlates Speed-Space in the Global Village: A

Session 4: Time-Space Compression and its Correlates Speed-Space in the Global Village: A Conceptual Review The Incredible Shrinking World Being Almost There: I may be in France, but my spirit is in Tahrir Square o We are all [

337 views • 16 slides
Singer Thailand Public Company Limited 2Q13 & 1H13 Performance Review at Opportunity Day, The

Singer Thailand Public Company Limited 2Q13 & 1H13 Performance Review at Opportunity Day, The

Singer Thailand Public Company Limited 2Q13 & 1H13 Performance Review at Opportunity Day, The Stock Exchange of Thailand Financial Services Brands Customer People Service Systems Distribution Disclaimer The information contained in

413 views • 38 slides
(12) United States Patent US 8,867,708 B1 (10) Patent N0.: *oa. 21, 2014 Lavian et a]. (45)

(12) United States Patent US 8,867,708 B1 (10) Patent N0.: *oa. 21, 2014 Lavian et a]. (45)

US008867708B1 (12) United States Patent US 8,867,708 B1 (10) Patent N0.: *oa. 21, 2014 Lavian et a]. (45) Date of Patent: 4,897,866 A 1/1990 Majmudar et a1. (54) SYSTEMS AND METHODS FOR VISUAL 5,006,987 A 4/1991 Harles PRESENTATION AND

542 views • 53 slides
Progress on Wet Deposition Sample Analysis Guey-Rong Sheu Department of Atmospheric Sciences

Progress on Wet Deposition Sample Analysis Guey-Rong Sheu Department of Atmospheric Sciences

Update on the APMMN and Progress on Wet Deposition Sample Analysis Guey-Rong Sheu Department of Atmospheric Sciences National Central University Taiwan Update on the APMMN: Center for Environmental Monitoring and Technology Background

547 views • 25 slides
Mercury in East and Southeast Asia Guey-Rong Sheu Department of Atmospheric Sciences National

Mercury in East and Southeast Asia Guey-Rong Sheu Department of Atmospheric Sciences National

Mercury in East and Southeast Asia Guey-Rong Sheu Department of Atmospheric Sciences National Central University Jhong-Li, Taiwan Why Is Mercury Still A Concern? Historical Hg Conc. in Biological Samples (UNEP, 2013) Marine Fish and Mammal

597 views • 24 slides

More recommend