lorenzo martignoni, elizabeth stinson, matt fredrikson, somesh jha, john mitchell raid 2008 1
TRANSCRIPT
![Page 1: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/1.jpg)
Lorenzo Martignoni , Elizabeth Stinson, Matt Fredrikson , Somesh Jha , John Mitchell
RAID 2008
1
![Page 2: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/2.jpg)
Bot-infected ComputersBotnets are used to perform nefarious tasks,
such as:keystroke logging, spyware installation, denial-of-service (DoS) attacks, hostingphishing web sites or command-and-control
servers, spamming, click fraud, license key theft
2
![Page 3: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/3.jpg)
Disadvantage of Traditional MethodEven the most effective malware detectors fail
to detect more than 30% of malware seen in the wild.
Traditional malware detectors are based on syntactic signaturesMalware producers can easily generate malware
variants capable of evading existing signatures.Malware detectors have a finite set of
syntactic signatures, but malicious programs have in infitely mutable syntax
3
![Page 4: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/4.jpg)
Behavior-based malware detectionDetect high-level actions that financially
motivate malware development & distributionkeystroke loggingdata leakingproxyingprogram download and execute
4
![Page 5: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/5.jpg)
Semantic gap between models and monitored eventsMonitor execution of the program using an emulatorLowest level events in behavior specifications are
system callsMalicious behaviors are described as sequences of
essential actionsE.g. What we see
NtDeviceIo. . . NtOpenFile NtCreateSe. . . NtMapView . . .is dierent from the essential actions we need to identifydownload a file and execute it
Behaviors
Low-level events
5
![Page 6: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/6.jpg)
SolutionsComplex & high-level behaviors are
decomposed into multiple layers.The lowest layer represents system call
invocations.Upper layers have a richer semantics.
E.g. Hierarchy of events used to specify download_exec
6
![Page 7: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/7.jpg)
ContributionsA behavior-speciation language that can be used
to describe novel, semantically meaningful behaviors.
A detector that identifies when a process performs a specified high-level action, regardless of the process's source-code implementation of the action.
Our evaluation demonstrates that our detector candistinguish malicious execution of high-level behaviors from benign.
7
![Page 8: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/8.jpg)
Behavior GraphsA behavior graph is a directed graph of a
form that is adapted from and extends AND/OR graphs.
8
![Page 9: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/9.jpg)
Behavior GraphsInternal nodes represent events (with formal
parameters)
9
![Page 10: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/10.jpg)
Behavior GraphsEdges represent predicates on events
arguments
10
![Page 11: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/11.jpg)
Behavior GraphsORed edges represent events of which at
least one has to occur
11
![Page 12: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/12.jpg)
Behavior GraphsANDed edges represent events that all have
to occur(but can occur in any order)
12
![Page 13: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/13.jpg)
Behavior GraphsAnnihilator and replicator nodes represent
eventsthat destroy and duplicate resources
13
![Page 14: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/14.jpg)
Behavior GraphsAcceptor nodes represent actions taken by
oursystem when behaviors are matched
14
![Page 15: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/15.jpg)
Matching Malicious Behaviors
15OS events are passed to the lowest layer
![Page 16: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/16.jpg)
Construction of behavior graphsThey developed our graphs manually and
iteratively through domain knowledge and analysis of tens of gigabytes of execution traces, obtained from multiple runs of 1. around fifteen standard applications 2. over one hundred specially-crafted
programs,3. several malicious programs.
16
![Page 17: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/17.jpg)
Architecture of the systemCustomized Qemu that instruments the guest
code to monitor system call invocations, to perform taint analysis, and to track local user input.
A behavior matcher that receives events in real-time and tries to match each behavior graph loaded.
17
![Page 18: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/18.jpg)
Spec. of Malicious Behavior RI stands for Remotely Initiated Tainted refers to data received over the network
18
![Page 19: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/19.jpg)
Result on Malicious botsBlank entries denote behaviors not matched
because the bot did not implement them
19
![Page 20: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/20.jpg)
Results on Benign ApplicationsUnder 2 scenarios: UI refers to an
experiment in which user input tracking was not used, and “UI” to one which enabled
User input tracking is very important to distinguish between behaviors triggered by the user and behaviors triggered automatically
20
![Page 21: Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID 2008 1](https://reader036.vdocuments.us/reader036/viewer/2022062500/5697bfd71a28abf838cae5be/html5/thumbnails/21.jpg)
CommentsFalse Positive Problem!!
E.g. Automatic Windows Update
21