1 / 21

A Layered Architecture for Detecting Malicious Behaviors

A Layered Architecture for Detecting Malicious Behaviors. Lorenzo Martignoni , Elizabeth Stinson, Matt Fredrikson , Somesh Jha , John Mitchell RAID 2008. Bot-infected Computers. Botnets are used to perform nefarious tasks, such as: keystroke logging, spyware installation,

jamesaguilar
Télécharger la présentation

A Layered Architecture for Detecting Malicious Behaviors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Layered Architecture for Detecting Malicious Behaviors Lorenzo Martignoni , Elizabeth Stinson, Matt Fredrikson , Somesh Jha , John Mitchell RAID 2008

  2. Bot-infected Computers • Botnets are used to perform nefarious tasks, such as: • keystroke logging, • spyware installation, • denial-of-service (DoS) attacks, • hosting • phishing web sites or command-and-control servers, • spamming, • click fraud, • license key theft

  3. Disadvantage of Traditional Method • Even the most effective malware detectors fail to detect more than 30% of malware seen in the wild. • Traditional malware detectors are based on syntactic signatures • Malware producers can easily generate malware variants capable of evading existing signatures. • Malware detectors have a finite set of syntactic signatures, but malicious programs have in infitely mutable syntax

  4. Behavior-based malware detection • Detect high-level actions that financially motivate malware development & distribution • keystroke logging • data leaking • proxying • program download and execute

  5. Semantic gap between models and monitored events • Monitor execution of the program using an emulator • Lowest level events in behavior specifications are system calls • Malicious behaviors are described as sequences of essential actions • E.g. What we see NtDeviceIo. . . NtOpenFile NtCreateSe. . . NtMapView . . . is dierent from the essential actions we need to identify download a file and execute it Low-level events Behaviors

  6. Solutions • Complex & high-level behaviors are decomposed into multiple layers. • The lowest layer represents system call invocations. • Upper layers have a richer semantics. • E.g. Hierarchy of events used to specify download_exec

  7. Contributions • A behavior-speciation language that can be used to describe novel, semantically meaningful behaviors. • A detector that identifies when a process performs a specified high-level action, regardless of the process's source-code implementation of the action. • Our evaluation demonstrates that our detector can distinguish malicious execution of high-level behaviors from benign.

  8. Behavior Graphs • A behavior graph is a directed graph of a form that is adapted from and extends AND/OR graphs.

  9. Behavior Graphs • Internal nodes represent events (with formal parameters)

  10. Behavior Graphs • Edges represent predicates on events arguments

  11. Behavior Graphs • ORed edges represent events of which at least one has to occur

  12. Behavior Graphs • ANDed edges represent events that all have to occur (but can occur in any order)

  13. Behavior Graphs • Annihilator and replicator nodes represent events that destroy and duplicate resources

  14. Behavior Graphs • Acceptor nodes represent actions taken by our system when behaviors are matched

  15. Matching Malicious Behaviors OS events are passed to the lowest layer

  16. Construction of behavior graphs • They developed our graphs manually and iteratively through domain knowledge and analysis of tens of gigabytes of execution traces, obtained from multiple runs of • 1. around fifteen standard applications • 2. over one hundred specially-crafted programs, • 3. several malicious programs.

  17. Architecture of the system • Customized Qemu that instruments the guest code to monitor system call invocations, to perform taint analysis, and to track local user input. • A behavior matcher that receives events in real-time and tries to match each behavior graph loaded.

  18. Spec. of Malicious Behavior • RI stands for Remotely Initiated • Tainted refers to data received over the network

  19. Result on Malicious bots • Blank entries denote behaviors not matched because the bot did not implement them

  20. Results on Benign Applications • Under 2 scenarios: UI refers to an experiment in which user input tracking was not used, and “UI” to one which enabled • User input tracking is very important to distinguish between behaviors triggered by the user and behaviors triggered automatically

  21. Comments • False Positive Problem!! • E.g. Automatic Windows Update

More Related