Upload File

cis sapienza - uniroma1.it

30
Research Center for Cyber Intelligence and information Security CIS Sapienza Research Center for Cyber Intelligence and information Security CIS Sapienza Overview on malware evolu.on and feature extrac.on for malware detec.on Seminars in Distributed Systems 2015/2016 April, 29° 2016 Dr. Daniele Ucci, Ph.D. student [email protected]

Upload: others

Post on 23-Dec-2021

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS SapienzaResearch Center for Cyber Intelligence

and information Security

CIS Sapienza

Overviewonmalwareevolu.onandfeatureextrac.onformalwaredetec.on

SeminarsinDistributedSystems2015/2016April,29°2016Dr.DanieleUcci,[email protected]

Page 2: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Outline•  OverviewonmalwareevoluFon

•  MalwaredefiniFon•  Dawnofmalware•  MSWindowsmalware•  Recentpastandpresent•  Mobilemalware

•  FeatureextracFonformalwaredetecFon•  RecallondetecFonapproachesandtheirweaknesses•  DatastructuresformalwaredetecFon•  FeaturesformalwaredetecFon•  MachineLearningalgorithmsformalwaredetecFon

Page 3: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

MalwareDetec.onWherewele8off?

•  Three main types of malware detecFonapproaches:•  StaFcanalysis•  Dynamicanalysis•  Hybridanalysis

•  EachapproachhasitsownlimitaFons

Page 4: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Outline•  Overviewonmalwareevolu.on

•  MalwaredefiniFon•  Dawnofmalware•  MSWindowsmalware•  Recentpastandpresent•  Mobilemalware

•  FeatureextracFonformalwaredetecFon•  RecallondetecFonapproachesandtheirweaknesses•  DatastructuresformalwaredetecFon•  FeaturesformalwaredetecFon•  MachineLearningalgorithmsformalwaredetecFon

Page 5: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onMalware(Defini.on)

Amalware is amalicious so8ware that fulfillsthedeliberatelyharmfulintentofanaBacker*.Ingeneral,malwareisatermusedtorefertoavariety of forms of hos.le or intrusiveso8ware.

[*]NikolaMilosevic.“Historyofmalware”.In:CoRRabs/1302.5392(2013).URL:h`p://arxiv.org/abs/1302.5392.

Page 6: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onCurrentAVindustryscenario

ImageCopyright:IKARUSSobwareSecurityGmbH

Page 7: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onDawnofmalware

MoFvaFonsbehindcreaFon:•  proving that personal computers are notsecure

•  annoy system users or worsen systemperformance

Page 8: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onDawnofmalware-Famousexamples•  Brain.A:•  worm•  firstmalwareforPC•  replicatesitselfusingfloppydisksbyinfecFngthefloppydiskdrive

•  Casino:•  virus•  detectedinearly90’s•  copiesfileallocaFontabletomemoryanddeletesoriginalonethen,itprovidestotheuseraslotgame

•  incasetheuserlosesthegame,thefileallocaFontableisdeletedfromthememory

Page 9: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onMSWindowsmalware

MoFvaFonsbehindcreaFon:•  annoy system users or worsen systemperformance

•  recruit computers in a botnet in order toa`ackcompaniesandorganizaFons

Page 10: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onMSWindowsmalware-Famousexamples•  WinVir•  firstMicrosobWindowsvirus•  firsttoinfectPE(portableexecutable)files•  replicatesitselfbyinfecFngotherPEfiles•  deletesitselfaberreplicaFon

•  Slammer•  detectedin2003•  takes advantage of vulnerabiliFes in MS SQLServerandMSDataEngine2000

•  every applicaFon relying on these la`er wasa`acked

•  in-memoryprocess•  hugeamountofnetworktrafficgenerated

Page 11: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.on0-dayexploitsandcross-plaPormmalwareMoFvaFonsbehindcreaFon:•  virtualespionage•  masssurveillance•  a`acktargetedusers

Page 12: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.on0-dayexploitsandcross-plaPorm

malware-Famousexamples

•  Stuxnet:•  supermalware•  foundoutinJune2010•  undetectedforaboutayear•  designed to slow down the Iranian nuclearprograminfecFon

•  spreadoverUSBsFcks•  usesstealthstrategies•  4outof5exploitsonwhich itreliedonwere0-day

Page 13: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.on0-dayexploitsandcross-plaPorm

malware-Famousexamples•  Doqu:

•  supermalware•  similartoStuxnet•  spiesinfectedpersonalcomputers

•  Flame(supermalware):•  supermalware•  detectedin2012•  mostcomplexmalwarethathasbeenseen•  hotpluggingofnewmodules•  spreadoverUSBportsandnetwork•  stealthcapabiliFes•  itisabletorecordaudio,video,Skypecalls,networkacFvity,

stealfilesfromharddisk•  self-destructondetecFon

Page 14: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onRecentpastandpresent

•  Many enterprises start understandingthe importance of protecFng theirbusinessfromcyber-threats

•  In2013:•  McAfee reportedmore than 288,000 newpossiblemalicious samples to analyse perday*

[*]CruzBenjaminetal..McAfeeLabsThreatsReport:FourthQuarter2013.Tech.rep.McAfeeLabs,McAfee,2013.

Page 15: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onRecentpastandpresent

•  Symantecobservedasuddenriseofzero-dayvulnerabiliFesexploits*:- anaverageof12vulnerabiliFesfoundoutperyearinthelastsevenyears- 23zero-dayvulnerabiliFeshavebeendiscovered

•  SophosdiscoveredathousandofnewAndroidmalwaresamplesperday**

[*]WoodPauletal..2014InternetSecurityThreatReport,Volume19.Tech.rep.SymantecCorporaFon,2014.[**]VanjaSvajce.SophosMobileSecurityThreatReport.2014.URL:h`p://i.crn.com/bestoqreed/sophos-mobile-security-threat-report.pdf.

Page 16: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onMobilemalware

ImageCopyright:McAfeeMobileSecurityReport-February2014.

Page 17: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onMobilemalware

•  Malware behavior is evolving from spyware and rooFngexploitstowards*:•  datatheb•  impersonaFon•  premiumSMSforfinancialfrauds•  downloaders and installers providing the a`acker remote

control(botnet)•  surveillance

•  MalverFsementthreats**:•  adverFsements embeddingmalicious content (e.g. trojans)

orleadingtomaliciouswebsiteswhenclickedon•  affectsbothAndroidandiOSdeviceusers

[*]VanjaSvajce.SophosMobileSecurityThreatReport.2014.URL:h`p://i.crn.com/bestoqreed/sophos-mobile-security-threat-report.pdf.[**]CaetanoL.MobileMalwarein2014.2014.URL:h`ps://blogs.mcafee.com/consumer/mobile-malware-2014.

Page 18: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Overviewonmalwareevolu.onMobilemalware-Famousexamples•  MasterKey*:

•  vulnerabilityinAndroidpackagesignatureverificaFon•  patchedinJuly2013•  a`ackercouldmodifyanexisFngsystemupdate•  users would unknowingly be installing executablesfromthea`acker

•  DownAPK**:•  detectedin2014•  Windows-basedmalware•  usesAndroiddebuggingbridge to install fakebankingapptoAndroiddevicesconnectedtotheinfectedPC

[*]McAfee.WhatMasterKey?–AndroidSignatureBypassVulnerability.2013.URL:h`ps://blogs.mcafee.com/consumer/what-master-key-android-signature-bypass-vulnerability.[**]VanjaSvajce.SophosMobileSecurityThreatReport.2014.URL:h`p://i.crn.com/bestoqreed/sophos-mobile-security-threat-report.pdf.

Page 19: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Outline•  OverviewonmalwareevoluFon

•  MalwaredefiniFon•  Dawnofmalware•  MSWindowsmalware•  Recentpastandpresent•  Mobilemalware

•  Featureextrac.onformalwaredetec.on•  RecallondetecFonapproachesandtheirweaknesses•  DatastructuresformalwaredetecFon•  FeaturesformalwaredetecFon•  MachineLearningalgorithmsformalwaredetecFon

Page 20: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.onRecallondetec.onapproaches

•  StaFcapproaches:•  staFcally analyze the sample withoutexecuFngit

•  Dynamicapproaches:•  requirestheexecuFonofthesample•  needforvirtualenvironmentsoremulators

•  Hybridapproaches:•  combineaboveapproaches

Page 21: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.onWeaknessesinsta.canddynamicanalysis*•  StaFcanalysis:•  signature computaFon is error-prone andFme-consuming

•  not able to detect tailored malware andvariantsofthesamemaliciouscode

•  non-negligiblenumberoffalseposiFves•  Dynamicanalysis:•  virtualenvironmentsaretoospecific•  sophisFcateda`ackssFllgoundetected

[*]ManuelEgeleetal.“ASurveyonAutomatedDynamicMalware-analysisTechniquesandTools”.In:ACMComput.Surv.44.2(Mar.2008),6:1–6:42.ISSN:0360-0300.DOI:10.1145/2089125.2089126.URL:h`p://doi.acm.org/10.1145/2089125.2089126.

Page 22: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.on

Toolsproposedinliteraturefordynamicanalysis*

Anubis CWSandbox Ether

Cuckoo Hookfinder TQana

Panorama NormanSandbox QEMU

[*]ManuelEgeleetal.“ASurveyonAutomatedDynamicMalware-analysisTechniquesandTools”.In:ACMComput.Surv.44.2(Mar.2008),6:1–6:42.ISSN:0360-0300.DOI:10.1145/2089125.2089126.URL:h`p://doi.acm.org/10.1145/2089125.2089126.

Page 23: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.onPreliminaryno.ons

•  Rawdata:•  samplesandmetadata

•  Feature:•  measurable property extracted from rawsamplesandmetadata

Page 24: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.onPreliminaryno.ons

•  ClassificaFon:•  processofassigninganobservaFontoaspecificclassonthebasisofatrainingset

•  Examples:- ObservaFon:sampleèClass:Benign/Malicious- ObservaFon:sampleèClass:Worm/NotWorm- ObservaFon:malwarevariantè Class:Family0/Family1/…/Familyk

•  Clustering:•  taskofgroupingsimilarobservaFons•  Examples:

- ObservaFons:samplesèCluster:Families- ObservaFons:samplesèCluster:Similarsamples

Page 25: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.onDatastructures

•  DetecFon techniques relies on specific datastructures to extract valuable informaFonfromrawdata

•  Datastructurescanbecategorizedaccordingtothetypeofanalysiscarriedout:•  staFc•  dynamic•  hybrid

Page 26: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.onDatastructuresforsta.canalysis

•  Rawdata:•  PEheader•  PEpayloadèdisassemblycode•  binarycode

•  Extracteddatastructures:•  n-grams•  callgraphs•  controlflowgraphs•  dataflowgraphs

Page 27: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.onDatastructuresfordynamicanalysis

•  Rawdata:•  Networktraces•  ExecuFontraces

-  themajoritygeneratedbyVMsandsandboxes•  AVs/Sandboxesreports

•  Extracteddatastructures:•  controlflowgraphs•  API/systemcallgraphs•  Markovchaingraphs•  networkbehaviorgraphs

Page 28: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.onDatastructuresforhybridanalysis

•  Input:•  CombinaFon of staFc and dynamic analysisinput

•  Extracteddatastructures:•  CombinaFonsofdatastructurescomingfromstaFcanddynamic analysis (e.g. controlflowgraph+Markovchaingraph)

Page 29: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.onExtractedfeatures

•  StaFcanalysis:•  opcode•  bytesequences•  funcFonlengthfrequency•  …

•  Dynamicanalysis:•  networkflowfeatures(e.g.sourceIP)•  API/systemcall•  behavioralfeatures(e.g.exceuFonprofiles)•  …

Page 30: CIS Sapienza - uniroma1.it

Research Center for Cyber Intelligence and information Security

CIS Sapienza

Featureextrac.onformalwaredetec.onMachineLearningalgorithms

•  DetecFon techniques based on MachineLearning algorithms does not depend onthetypeofanalysiscarriedout

•  Someexamples:•  SVM•  decisiontreesandvariants•  kNN•  …


Sapienza University of Rome - uniroma1.itdottoratoii/media/students/documents/... · Sapienza University of Rome Ph.D. program in Computer Engineering XXVI Cycle Diego Rughetti

ABSTRACT POSTER - gs2009.unimore.it · 1 Chemistry Department, SAPIENZA University Rome, Piazzale A. Moro, 5 – 00185 – Rome – Italy [email protected] Electrochemical

Synthetic Aperture Radar - uniroma1.it · Synthetic Aperture Radar Pierfrancesco Lombardo. Sistemi Radar RRSN –DIET, Università di Roma “La Sapienza” MTI extra –2 2 Outline

CIS Sapienza CIS - Domotica · Energy distribution > Thomas Edison Vs Nikola Tesla Thomas Edison: “direct current is the best solution” Nikola Tesla: “alternating current is

uniroma1.it...From Sturm-Liouville problems to fractional and anomalous diffusions Mirko D’Ovidio∗ Department of Statistical Sciences Sapienza University of Rome Abstract Some

Disaster Recovery Workshop Third Edition - uniroma1.itciciani/files/Universit_ La Sapienza... · Disaster Recovery Workshop – Third Edition Rome, 8th April 2013 ... 259.000 Technology

Intrinsic persistence of wage in ation in New Keynesian ... · Giovanni Di Bartolomeo [email protected] Sapienza University of Rome Marco Di Pietro [email protected]

(9-11 November 2021, Sapienza University of Rome) Under ......Francesca Zaccone: [email protected] Important dates and information • Submission of applications deadline:

Piano Lauree Scientifiche Laboratorio di Ottica ... · Fabio Sciarrino Dipartimento di Fisica, “Sapienza” Università di Roma Istituto Nazionale di Ottica, CNR [email protected]

CARDIAC DEFECTS: DIAGNOSIS AND TREATMENT Bruno Marino Dipartimento di Pediatria Università di Roma “La Sapienza” [email protected] 16 h Annual VCFSEF

Strategic Plan 2016-2021 - uniroma1.it · Strategic Plan 2016-2021 Sapienza University of Rome 20 Strategic Plan 2016-2021 Sapienza University of Rome 21 443 contact lecturers 65

Neuroseminars EMBL seminars EMBL-Sapienza seminars …corsidilaurea2015.uniroma1.it/sites/a14i/files/paragrafo/08-01... · Neuroseminars EMBL seminars EMBL-Sapienza seminars Open

Medical Robotics Robot Registration - uniroma1.itvenditt/didattica/mr/12_RobReg.pdf · Universit a di Roma \La Sapienza" Medical Robotics Robot Registration Marilena Vendittelli Universit

uniroma1.it MUZII.pdf · Base di Ricerca Sapienza Comparison of two different Fondi di Ateneo 12000 euros techniques for the treatment of Sapienza ... Di Donato V, Fischetti M, Casorelli

dell’intelligenza artificiale alla - uniroma1.it · 2019. 4. 13. · Fabrizio Frezza Facoltà di Ingegneria dell’Informazione, Informatica e Statistica, Università La Sapienza

FLAVIO D’ALESSANDRO - uniroma1.it · FLAVIO D’ALESSANDRO CURRICULUM VITAE Education Type Year Institution Notes Laurea in Matematica 1992 University of Rome \La Sapienza" 110/110

uniroma1.it - COMPOSITION OF PROCESSES AND ......mail:[email protected] 2Corresponding author: Dipartimento di Statistica, Probabilit`a e Statistica Applicata, Sapienza Uni-versit`a

The Boundary-layer Air Quality-analysis Using Network of [email protected] SERCO / Univ. Sapienza Marco Cacciani [email protected] Univ. Sapienza Andrea Scoccione

Prasugrel vs ticagrelor in acute coronary syndromes Giuseppe Biondi-Zoccai, MD Sapienza University of Rome, Italy [email protected]

CURRICULUM VITAE - uniroma1.it...Statistica, Universita' “La Sapienza”, Roma Interessi di Ricerca: L'attivita' di ricerca sin qui svolta e' concentrata su diversi aspetti dell'inferenza

STUDY IN ITALY - [email protected] STUDY IN ITALY #FeelAtRome 1 SAPIENZA is the largest university in Europe, offering280+ programmes in all fields of knowledge,

University of Rome La Sapienza - uniroma1.it · Piero Baglioni, University of Florence, Italy Imre Varga, Eötvös Loránd University, Budapest, Hungary ... Claudio Maggi, Sapienza

Welcome to - uniroma1.it...E-mail: [email protected] T 0649914180-4181 Free of charge Sapienza Wireless Networking Service Wireless internet access is available in various campus areas

Bleeding with antiplatelet agents Giuseppe Biondi-Zoccai, MD Sapienza University of Rome, Italy [email protected]

Novel antithrombotic agents in acute coronary syndromes: better or worse than P2Y12 inhibitors Giuseppe Biondi Zoccai Sapienza Università di Roma [email protected]

Claudia Gianelli, PhD COGNITIVE NEUROSCIENTIST Main ... · Anna Maria Borghi, Associate Professor, University Sapienza of Rome, [email protected] Alessandro Farné, DR Inserm,

Giuseppe Biondi-Zoccai, MD Sapienza University of Rome, Latina, Italy [email protected]@gmail.com Medical statistics for cardiovascular

[email protected] Beam-Wall Interaction in the LHC Liner: a former PhD student experience A. Mostacci La Sapienza, University of Rome Francesco

After cardiac arrest: emergency coronary angiography for all? Giuseppe Biondi-Zoccai, MD Sapienza University of Rome, Italy [email protected]

Giuseppe Biondi-Zoccai, MD Sapienza University of Rome, Latina, Italy [email protected]@gmail.com Stent thrombosis: the meta-analytic

OC Lecture 01 Introduction 2006 - uniroma1.itacts.ing.uniroma1.it/courses/shutdown/oc/Slides/OC_Lecture_01... · Dipartimento INFOCOM Università degli Studi di Roma “La Sapienza”

MAINSTREAMING ADAPTATION INTO URBAN DEVELOPMENT …€¦ · Silvia MACCHI Sapienza University of Rome, Italy Dept. of Civil, Building and Environmental Engineering [email protected]

EVOLUTION OF PREMATING REPRODUCTIVE ISOLATION AMONG ... · 2E-mail: [email protected] 3 Department of Environmental Biology, University of Rome “La Sapienza,” 00185,

idee immagini ideas [email protected] Direttore responsabile/Managing editor Piero Albisinni, Dipartimento di Storia, Disegno e Restauro dell’Architettura, “Sapienza”,

AREA PER L’INTERNAZIONALIZZAZIONE - uniroma1.it Office... · Sapienza University of Rome Pagina 2 Sapienza University of Rome A BRIEF HISTORY • Sapienza University of Rome was