you are what you do hunting stealthy malware via data
play

You Are What You Do: Hunting Stealthy Malware via Data Provenance - PowerPoint PPT Presentation

Jan 08, 2024 •652 likes •915 views

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis Qi Wang , Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A. Gunter, Haifeng Chen NDSS 2020 Feb 26 th , 2020,

  1. You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis Qi Wang , Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A. Gunter, Haifeng Chen NDSS 2020 Feb 26 th , 2020, San Diego

  2. T h e pi ct Malware is Becoming Stealthier ur e ca n' t b e di s pl ay e d. § As malware detection has greatly advanced, adversaries are increasingly focusing on new techniques to evade detection. § One recent line of stealthy attacks achieve their attack goals by impersonating or abusing well-trusted programs (e.g., IE, Java). running process The malicious behavior is blended with benign behaviors of IE. 2

  3. T h e pi ct Stealthy Malware/Attacks ur e ca n' t b e di s pl ay e d. § Advanced stealthy techniques are being actively developed. – Memory code injection • E.g., reflective DLL injection, process hollowing – Script-based attacks • Embedding payload in documents like MS Word and Excel – Vulnerability exploits • E.g., CVE- 2019-0541 allows arbitrary code execution in IE § Various stealthy strategies are being employed. – Fileless techniques (i.e., minimizing the usage of regular file systems) – Living off the land (i.e., using dual-use tools such as certutil) 3

  4. T h e pi ct A Real-world Stealthy Attack ur e ca n' t b e di s pl ay e d. open invoke cmd.exe Word File Phishing Email invoke execute 0.ps1 execute Empire Empire Backdoor powershell.exe powershell.exe No files were created C&C fetch 0.ps1 fetch Empire.ps during the attack! Dropbox Server Attacker Server Technical reports estimated that stealthy attacks grew by 265% in the first half of 2019, and are 10 times more likely to succeed compared to traditional attacks! 4

  5. T h e pi ct Challenges for Detecting Stealthy Attacks ur e ca n' t b e di s pl ay e d. § Taking advantages of well-trusted Could bypass whitelisting. programs in the system. – Living off the land § Residing in the victim process’s Signature-based or file-based solutions are ineffective. memory. – Being fileless § There are a variety of stealthy Solutions target certain techniques do not work for others. techniques. A general and effective approach to detect stealthy attacks is needed! 5

  6. T h e pi ct Our Insights ur e ca n' t b e di s pl ay e d. § While a stealthy malware could employ different techniques to impersonate benign processes, its malicious behavior will inevitably interact with the underlying operating systems and leave traces. OS-level provenance tracking … processes, files, sockets § Thus, we could use OS-level provenance analysis to differentiate benign and hijacked (malicious) processes. – We consider three types of system entities: processes, files and sockets. 6

  7. T h e pi ct Problem Solved? ur e ca n' t b e di s pl ay e d. … collect build … … … Target Program Benign Profile Benign Provenance Graphs new instance Challenges § Detection of marginal deviation … – Stealthy malware tends to incur only marginal deviation for its malicious behavior. § Scalable model building and detection – The size of the provenance graph grows rapidly over Benign or Malicious? time. 7

  8. T h e pi ct ProvDetector ur e ca n' t b e di s pl ay e d. Representation Anomaly Graph Building Embedding Extraction Detection predication Process predication predication Final Decision predication Provenance Database Frequency Database 8

  9. T h e pi ct Representation Extraction ur e ca n' t b e di s pl ay e d. § We propose to use causal paths as the features for a provenance graph. – The marginal malicious paths are blended with normal paths. § How to choose the malicious paths? – Rare paths are more likely to be malicious. write read_by write winword.exe *.doc outlook.exe x.x.x.x Frequency Database create create create winword.exe cmd.exe powershell.exe powershell.exe 9

  10. T h e pi ct Rareness-based Path Selection ur e ca n' t b e di s pl ay e d. § We use regularity score to define the rareness of a path. − For a path , where , the regularity score is: The less frequent and less stable an event is, the less regularity score it has. Event Out stability In stability frequency Finding paths with the lowest regularity scores from a provenance graph. 10

  11. T h e pi ct Embedding ur e ca n' t b e di s pl ay e d. § How to feed the paths to anomaly detection models? – The lengths of causal paths are not fixed. – The attributes of nodes are unstructured data (e.g., file names). § Projecting paths into numerical vector space. – We view a causal path as a sentence/document. • Each node is treated as a “noun” and each edge is treated as a “verb”. • Embed the “sentence” into vector using doc2vec. write read_by write winword.exe t1.doc outlook.exe 168.x.x.x Process:winword.exe write File:t1.doc read by Process:outlook.exe write Socket:168.x.x.x. In vector space, similar paths are closer while different paths are far away. 11

  12. T h e pi ct Anomaly Detection ur e ca n' t b e di s pl ay e d. § We use a novelty detection model to determine if a path is abnormal. predication – We train the model with only the embeddings of benign paths. predication – It is able to detect unknown attacks or zero-day attacks. predication predication § We then use a threshold-based method to make the final decision. – If more than n path vectors are predicted as malicious, we treat the provenance graph as malicious. 12

  13. T h e pi ct Evaluation ur e ca n' t b e di s pl ay e d. § Provenance dataset preparation – Malicious dataset • We ran about 15,000 malware samples from VirusShare and VirusSign. – Benign dataset • We deployed ProvDetector in an enterprise with 306 Windows hosts for 3 months. § We identified 23 target programs in both datasets. – Popular applications • E.g., IE Browser and Microsoft Word. – Preinstalled system tools • E.g., Windows Common Line (cmd) and Windows Certificate Services Tool (certutil) 13

  14. T h e pi ct ur e ca n' t b e di s pl ay e d. How effective is ProvDetector in detecting stealthy malware? 14

  15. T h e pi ct Detection Accuracy ur e ca n' t b e di s pl ay e d. § We evaluate with the 23 target programs. – For each program, we chose 250 benign and 50 malicious processes. • 200 benign process were used for training. • 50 benign and 50 malicious processes were used for evaluation. – For each process, we select the top 20 rarest paths from its provenance graph. Threshold Precision Recall F1-Score 3 0.957 1.000 0.978 4 0.995 1.000 0.997 15

  16. T h e pi ct ur e ca n' t b e di s pl ay e d. Why the Whole Graph is not an effective feature? 16

  17. T h e pi ct Comparison with Graph Embedding ur e ca n' t b e di s pl ay e d. § A graph embedding approach – Embedding a provenance graph into a vector using graph2vec. Approach Precision Recall F1-Score ProvDetector 0.957 1.000 0.978 graph2vec 0.899 0.452 0.601 The whole graph is not an effective feature for detecting stealthy attacks! 17

  18. T h e pi ct Why Using Paths are More Effective? ur e ca n' t b e di s pl ay e d. § We use MS word as an example (50 benign and 50 malicious) We randomly selected 20 paths from We selected top 20 rarest paths from benign and malicious graphs. benign and malicious graphs. t-SNE plot of random paths t-SNE plot of selected paths 18

  19. T h e pi ct Summary ur e ca n' t b e di s pl ay e d. § OS-level data provenance could capture the malicious behavior of stealthy attacks. Thanks! § We propose a rareness-based path selection algorithm to identify the potentially malicious part as detection features. § We present ProvDetector, a provenance-based approach to Q&A automatically detect stealthy attacks. § We demonstrate its effectives through a systematic evaluation in an enterprise environment. 19

  20. T h e pi ct ur e ca n' t b e di s pl ay e d. Backup Slides 20

  21. T h e pi ct Implementation ur e ca n' t b e di s pl ay e d. § We implement ProvDetector for both Windows and Linux. – Provenance tracking is implemented with Windows ETW framework and the Linux Audit framework. – The provenance graph builder and the representation extractor are implemented using about 15K lines of Java code. – Embedding and anomaly detection are implemented in Python. § Provenance Data Preprocessing – Path Abstraction • We remove user specific details from process entities and file entities. • E.g., *:/USERS/*/DESKTOP/PAPER.DOC – Socket Connection Abstraction • We remove the source part of an outgoing connection and the destination part of an incoming connection. 21

  22. T h e pi ct Graph-level Detection Accuracy ur e ca n' t b e di s pl ay e d. 1 0.9 Precision or Recall 0.8 0.7 0.6 0.5 0.4 Precision Recall 0.3 0 2 4 6 8 10 12 14 16 18 20 Threshold 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior Researcher CERT Polska/NASK/ Warsaw University of Technology piotr.bialczak@cert.pl Twitter: @bialczakp 2 Malware hunting A mouse and cat game? 3

828 views • 28 slides
Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion & Hypervisor Technologies and Consulting Ltd Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 1 /

553 views • 21 slides
Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD

Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD

Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD Dissertation kjl2y@virginia.edu November 30, 2016 Analogy: Volkswagen Scandal Volkswagen cheated on emissions test (over 10x EPA requirements) 2

1.56k views • 78 slides
Soundminer A Stealthy and Context-Aware Sound Trojan for Smartphones Roman Schlegel, Kehuan

Soundminer A Stealthy and Context-Aware Sound Trojan for Smartphones Roman Schlegel, Kehuan

Soundminer A Stealthy and Context-Aware Sound Trojan for Smartphones Roman Schlegel, Kehuan Zhang, Zhou Li, Apu Kapadia, XiaoFeng Wang Sensory Malware Malware equipped with sensors Steal video Steal audio Steal location

463 views • 7 slides
Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris Andrianakis, Kun Sun, and Angelos Stavrou Intro Increase of stealthy malware in enterprises Obfuscation, polymorphic techniques Often uses

766 views • 25 slides
Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software Architect 1 Agenda Problem Description Fileless Attacks Overview Common Injection Techniques Current Challenges with memory

870 views • 22 slides
Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

648 views • 34 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:>

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:>

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:> whoami /all Tom Ueltschi Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!) Focus & Interests: Malware Analysis, Threat Intel,

1.45k views • 115 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

904 views • 30 slides
Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Adware/Spyware - Backdoors - Viruses

383 views • 26 slides
THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil the Lion, Hwange National Park, Zimbabwe, 2013 Yann Prisner-Levyne WILD FAUNA= NATURAL RESOURCES UNDER INTERNATIONAL LAW Principle of permanent

400 views • 21 slides
Home Visiting Request for Proposals Pre-Bid Conference September 15 th , 2020 Disclaimer This

Home Visiting Request for Proposals Pre-Bid Conference September 15 th , 2020 Disclaimer This

Home Visiting Request for Proposals Pre-Bid Conference September 15 th , 2020 Disclaimer This presentation includes brief descriptions of the RFP specifications and requirements but does not fully elaborate on all required elements. As a result,

509 views • 36 slides
Relationship between Economic Activity and Uncertainty P LANTE , R ICHTER , AND T HROCKMORTON : T

Relationship between Economic Activity and Uncertainty P LANTE , R ICHTER , AND T HROCKMORTON : T

T HE Z ERO L OWER B OUND AND E NDOGENOUS U NCERTAINTY Michael Plante Federal Reserve Bank of Dallas Alexander W. Richter Federal Reserve Bank of Dallas Nathaniel A. Throckmorton College of William & Mary The views expressed in this

518 views • 39 slides
1 Disinfection Requirements for Tracer Studies and Contact Time: Surface Water Used to

1 Disinfection Requirements for Tracer Studies and Contact Time: Surface Water Used to

Essentials of Surface Water Background (continued) Treatment 1998 Interim Enhanced Surface Water Treatment Rule (Part 2) (IESWTR) Addressed concerns about Crypto (required 2-log removal) Oregon Health Authority CF/DF: Lowered

532 views • 24 slides
Optimal Simple And Implementable Monetary and Fiscal Rules Stephanie Schmitt-Groh e Mart

Optimal Simple And Implementable Monetary and Fiscal Rules Stephanie Schmitt-Groh e Mart

Optimal Simple And Implementable Monetary and Fiscal Rules Stephanie Schmitt-Groh e Mart n Uribe Duke University September 2007 1 Welfare-Based Policy Evaluation: Related Literature (ex: Rotemberg and Woodford, 1999)

615 views • 40 slides
1 The Euler system of equations The Euler system of equations describing flows of incompressible

1 The Euler system of equations The Euler system of equations describing flows of incompressible

On integration of the equations of incompressible fluid flow Valery Dryuma, e-mail: valdryum@gmail.com Institute of Mathematics and Computer Science, AS RM, Kishinev 1 The Euler system of equations The Euler system of equations describing

284 views • 3 slides
Downtown Market Analysis and Benchmarking A workshop on using data to guide your work and

Downtown Market Analysis and Benchmarking A workshop on using data to guide your work and

Downtown Market Analysis and Benchmarking A workshop on using data to guide your work and to measure your accomplishments Presented to Connecticut Main Street Communities December 2, 2016, New Britain, CT John Simone, Connecticut Main

972 views • 49 slides
O utcome and R esource I M pacts Clinical outcomes of FFR CT -guided diagnostic strategies versus

O utcome and R esource I M pacts Clinical outcomes of FFR CT -guided diagnostic strategies versus

P rospective L ongitudin A l T rial of F FR CT O utcome and R esource I M pacts Clinical outcomes of FFR CT -guided diagnostic strategies versus usual care in patients with suspected coronary artery disease Pamela S. Douglas, Gianluca Pontone,

196 views • 15 slides
EORTC GCG 55994 Randomized phase III study of neoadjuvant CT followed by surgery vs. concomitant

EORTC GCG 55994 Randomized phase III study of neoadjuvant CT followed by surgery vs. concomitant

Ongoing Trials status update EORTC GCG 55994 Randomized phase III study of neoadjuvant CT followed by surgery vs. concomitant RTX+CT in FIGO stage Ib2, IIa > 4 cm or IIb cervical cancer. Trial setting: FIGO stage Ib2, IIa > 4 cm or

482 views • 4 slides

More recommend