ndss symposium · content agnostic malware protection moheeb abu rajab, lucas ballard, noé lutz,...
TRANSCRIPT
![Page 1: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/1.jpg)
![Page 2: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/2.jpg)
![Page 3: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/3.jpg)
![Page 4: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/4.jpg)
![Page 5: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/5.jpg)
![Page 6: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/6.jpg)
![Page 7: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/7.jpg)
CAMPContent Agnostic Malware Protection
Moheeb Abu Rajab, Lucas Ballard, Noé Lutz,Panayiotis Mavrommatis and Niels Provos
Google Safe Browsing Team
![Page 8: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/8.jpg)
Current Situation
• Web still used for malware distribution
• Browsers and plug-ins are more secure
• Drive-by-downloads become challenging
• Social Engineering attacks on the rise
![Page 9: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/9.jpg)
Challenges
• Exploit detection mechanism fail
• URL malware lists can be ineffective
• AVs struggle with polymorphic binaries
• Binary whitelists do not scale
![Page 10: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/10.jpg)
Objective
![Page 11: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/11.jpg)
Contributions
• Content agnostic malware protection
• Real-time detection of malware
• Hybrid detection approach
• 6 month evaluation with 200M users
![Page 12: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/12.jpg)
Overview
• System Architecture
• Evaluation
• Case study
• Conclusion
![Page 13: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/13.jpg)
System Architecture
Reputation Engine
ReputationData
Client Request
Verdict
Malware ListWhitelists
IP, Site,aggregates
![Page 14: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/14.jpg)
Hybrid Approach
0.3%
0.7%
29.0%
70.0%
WhitelistedBenignBad ReputationMalware List
![Page 15: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/15.jpg)
Verdict in Chrome
![Page 16: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/16.jpg)
System Architecture
Reputation Engine
ReputationData
Client Request
Verdict
Malware ListWhitelists
IP, Site,aggregates
![Page 17: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/17.jpg)
Reputation Data
Safe Browsing Frontend
ReputationData
Binary Analysis
URLs
Other URL sources
Client RequestsAggregation
Aggregation
IP:1.2.3.4: 30 / 100
IP:1.2.3.4: 98 / 109
![Page 18: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/18.jpg)
Reputation Engine
Feature /Aggregation Key
BaselineAggregates
IP:1.2.3.4 98 / 109
site:foo.com/ 1039 / 5694
host:a.foo.com/ 0 / 0
Aggregate: # bad / # total events
![Page 19: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/19.jpg)
Overview
• System Architecture
• Evaluation
• Case study
• Conclusion
![Page 20: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/20.jpg)
Evaluation
• 6 month evaluation, 200M Chrome users
• 15M download requests / day
• 500K warnings shown / day
![Page 21: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/21.jpg)
Evaluation - Labeling
Safe Browsing Frontend
ReputationData
Binary Analysis
URLs
Other URL sources
Client RequestsAggregation
Aggregation
IP:1.2.3.4: 30 / 100
IP:1.2.3.4: 98 / 109
![Page 22: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/22.jpg)
Evaluation - Labeling
0
275
550
825
1100
Binary Analysis VT
10891100
Malicious Benign
0
275
550
825
1100
Binary Analysis VT
9681100
12% FN1% FP
![Page 23: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/23.jpg)
Evaluation - Reputation
00.10.20.30.40.50.60.70.80.9
1
TPR TNR FPR FNR
03/01
07/01
05/01
04/01
06/01
![Page 24: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/24.jpg)
Overall Accuracy
ReputationEngine
Overall
Accuracy 98% 99.5%
FPR 2% 0.6%
![Page 25: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/25.jpg)
CAMP Reputation vs. AVs
0
2500
5000
7500
10000
CAMP AV-1 AV-2 AV-3 AV-4
Flagged Benign
CAMP AV-1 AV-2 AV-3 AV-4
![Page 26: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/26.jpg)
CAMP Reputation vs. URL lists
0
2500
5000
7500
10000
CA
MP
Dom
ainL
ist
Site
Adv
isor
Sym
ante
c
Safe
Brow
sing
Tren
dMic
ro
Flagged Benign Unknown Error
CA
MP
Dom
ainL
ist
Site
Adv
isor
Sym
ante
c
Safe
Brow
sing
Tren
dMic
ro
![Page 27: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/27.jpg)
Overview
• System Architecture
• Evaluation
• Case study
• Conclusion
![Page 28: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/28.jpg)
Case Study
• 13K unique hostnames over 2 week period
• Domain rotation every 7 minutes
(srv|www|server|update)\d{2}.\w+.uni.me
![Page 29: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/29.jpg)
Case Study
• 13K unique hostnames over 2 week period
• Domain rotation every 7 minutes
URL Malware lists didn’t work here
(srv|www|server|update)\d{2}.\w+.uni.me
![Page 30: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/30.jpg)
Case Study
• Binary changed roughly every 10 minutes
• Saw >900 distinct content hashes
• Only 1/40 Virus Total AV flagged binary
(srv|www|server|update)\d{2}.\w+.uni.me
![Page 31: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/31.jpg)
Case Study
• Binary changed roughly every 10 minutes
• Saw >900 distinct content hashes
• Only 1/40 Virus Total AV flagged binary
Content based approaches didn’t work here
(srv|www|server|update)\d{2}.\w+.uni.me
![Page 32: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/32.jpg)
Overview
• System Architecture
• Evaluation
• Case study
• Conclusion
![Page 33: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/33.jpg)
Summary
• Content agnostic reputation approach
• Scalable to 200M users
• High accuracy with low false positive rate
![Page 34: NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f0fb97d7e708231d4459307/html5/thumbnails/34.jpg)
??