Upload File

over the last years, the amount of malicious code (viruses, worms, trojans, etc.) sent through the...

  • Home
  • Documents
  • Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant
1
Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant growth, viruses' renewal and improvement is done much faster than the update time of the anti-virus software selling today. Our solution focuses on the signature generation process. We have developed an automatic system, which its goal is to extract simple, unique and optimal signatures for malicious files. This way any IDS/IPS will be able to neutralize a hostile code in real-time. In addition we have developed an evaluation environment - its objective is to determine the best configuration for generating an optimal signature for malicious files. Language: IDE: Operation System: Ido Levin Ofir Nissel Yotam Katzman Academic Advisor: Dr. Yuval Elovici Professional Advisor: Mr. Asaf Shabtai Extraction method : The Interactive Disassembler (IDA) : IDA is a commercial Disassembler widely used for reverse engineering meaning, it is able to receive a binary file and reverse it back to the assembler code. Using a dedicated plug-in, IDA can identify, extract and normalize all the functions in the file. Data mining : Using classifier which takes a training set of bytes' segments and classify if it an end, start or neither, then classify segments of bytes from a suspicious file, and determine if these segments are start, end or neither. That way we are able to extract functions from a given file. Selection methods : Random Selector : Choose a signature randomly from the candidates. Minimum Entropy Selector : The selector calculates the entropy of the candidates and selects the one with the minimum entropy. Cluster Selector : This Selector creates groups of candidates by their distance from each other, and will score each cluster by the chance it will contain the best signature. Each cluster will get score that will reflect this chance with the following formula: Probability Selector : Key idea: estimate the probability that each of the candidate signatures will match a randomly chosen block of bytes in the code of a randomly chosen program Select one or more signatures with the lowest estimated False Positive probabilities of all the candidates which is less than pre-defined threshold. Cs denotes Cluster size in bytes Fs denotes File’s Size Fc denotes number of functions in cluster T denotes total number of function in file Fl denotes the sum of function’s length in cluster Cs Fl T Fc Fs Cs re ClusterSco Let S be a string/signature. Sc character in S |Sc| the number of times Sc appears at S. The Entropy of S will be as follows: | | | | log | | | | ) ( 2 S S S S S E c C c c For a given sequence of S bytes B=B1B2…BS estimate the probability p(B) for B to occur in a large body of normal uninfected code: TS - number of S-byte sequences in a large corpus of uninfected programs f(B) - number of occurrences of B in Ts 3 1 2 4 3 3 2 1 2 4 3 2 3 2 1 2 1 ) ( )... ( ) ( ) ( )... ( ) ( ) ... ( T B B f B B f B B f B B B f B B B f B B B f B B B P s s s s s s Generally, the Signature Builder system operation is: Building a common functions library (CFL), Given a malicious file, extract its functions and filter the common ones using the CFL, generate signature and at last Choosing from the remaining functions (candidates), the best one to act as the malicious file’s signature. The system extracts functions from the malwares by several algorithms, and provide a signature for each malware. Initialize Configuration CFL Handling Receive File from Client Initialize the system Extracting Functions Filter Common Functions Generate Candidates Select Best Candidate Return Signature Evaluation Environment - evaluates the different configurations of the signature builder, in order to decide about the quality of the signature. The main idea is checking if a signature of a malicious file appears in control group- benign files. Of course, a good signature which belongs to a malicious file – should not appear in benign files. The output consists the following: Processed - The number of malware files that the system managed to generate a signature for them. Processed (%) - Processed / Total Malware Files. Signature Hits - The number of malware files that gives at least one False Alarm, which means the number of unique malware files that produced False Alarm. Signature Hits (%) - Signature Hits / Processed. Unique Signature - The number of unique signatures that didn’t produced FA. Different Files - The number of distinct files in the Control Group that has at least one hit. Different Files (%) – Different Files / Total Control Group Files. Each configuration consist the following input: CFL size in MB maximum signature length in byte Function similarity threshold Offset size in byte Function Extractor Function selection.

Upload: griffin-blankenship

Post on 11-Jan-2016

213 views

Category:

Documents


1 download

Report

Tags:

TRANSCRIPT

Page 1: Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant

Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing.

Due to this significant growth, viruses' renewal and improvement is done much faster than the update time of the anti-virus software selling today. Our solution focuses on the signature generation process. We have developed an automatic system, which its goal is to extract simple, unique and optimal signatures for malicious files.This way any IDS/IPS will be able to neutralize a hostile code in real-time. In addition we have developed an evaluation environment - its objective is to determine the best configuration for generating an optimal signature for malicious files.

Language: IDE: Operation System:Ido Levin Ofir Nissel Yotam Katzman

Academic Advisor: Dr. Yuval EloviciProfessional Advisor: Mr. Asaf Shabtai

Extraction method:

The Interactive Disassembler (IDA):IDA is a commercial Disassembler widely used for reverse engineering meaning, it is able to receive a binary file and reverse it back to the assembler code. Using a dedicated plug-in, IDA can identify, extract and normalize all the functions in the file.

Data mining :Using classifier which takes a training set of bytes' segments and classify if it an end, start or neither, then classify segments of bytes from a suspicious file, and determine if these segments are start, end or neither. That way we are able to extract functions from a given file.

Selection methods:

Random Selector:Choose a signature randomly from the candidates.

Minimum Entropy Selector:The selector calculates the entropy of the candidates and selects the one with the minimum entropy.

Cluster Selector:This Selector creates groups of candidates by their distance from each other, and will score each cluster by the chance it will contain the best signature. Each cluster will get score that will reflect this chance with the following formula:

Probability Selector:Key idea: estimate the probability that each of the candidate signatures will match a randomly chosen block of bytes in the code of a randomly chosen program

Select one or more signatures with the lowest estimated False Positive probabilities of all the candidates which is less than pre-defined threshold.

• Cs denotes Cluster size in bytes

• Fs denotes File’s Size

• Fc denotes number of functions in cluster

• T denotes total number of function in file

• Fl denotes the sum of function’s length in cluster

Cs

Fl

T

Fc

Fs

CsreClusterSco

• Let S be a string/signature.

• Sc character in S

• |Sc| the number of times Sc appears at S.

• The Entropy of S will be as follows:

||

||log

||

||)( 2 S

S

S

SSE c

Cc

c

• For a given sequence of S bytes B=B1B2…BS estimate the probability p(B) for B to occur in a large body of normal uninfected code:

• TS - number of S-byte sequences in a large corpus of uninfected programs

• f(B) - number of occurrences of B in Ts

3124332

1243232121 )()...()(

)()...()()...(

TBBfBBfBBf

BBBfBBBfBBBfBBBP

ss

ssss

Generally, the Signature Builder system operation is:Building a common functions library (CFL), Given a malicious file, extract its functions and filter the common ones using the CFL, generate signature and at last Choosing from the remaining functions (candidates), the best one to act as the malicious file’s signature. The system extracts functions from the malwares by several algorithms, and provide a signature for each malware.

Initialize Configuration

CFL Handling

Receive File from Client

Initialize the system

Extracting Functions

Filter Common Functions

Generate Candidates

Select Best Candidate

Return Signature

Evaluation Environment - evaluates the different configurations of the signature builder, in order to decide about the quality of the signature. The main idea is checking if a signature of a malicious file appears in control group- benign files. Of course, a good signature which belongs to a malicious file – should not appear in benign files.

The output consists the following:• Processed - The number of malware files that the system

managed to generate a signature for them.

• Processed (%) - Processed / Total Malware Files.

• Signature Hits - The number of malware files

that gives at least one False Alarm, which means the number

of unique malware files that produced False Alarm.

• Signature Hits (%) - Signature Hits / Processed.

• Unique Signature - The number of unique signatures

that didn’t produced FA.

• Different Files - The number of distinct files in the Control Group

that has at least one hit.

• Different Files (%) – Different Files / Total Control Group Files.

Each configuration consist the following input:

• CFL size in MB

• maximum signature length in byte

• Function similarity threshold

• Offset size in byte

• Function Extractor

• Function selection.

Introduction of Software Securityheng/teaching/cs260-winter... · •Malicious programs –Spyware, trojans, rootkits •Misconfiguredprograms –Security features not turned on –Complex

Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the "common cold" of modern technology. One e-mail in every 200 containing

Contents Viruses Viruses Computer Worms Computer Worms Trojans Trojans Spyware Spyware Adware Adware Spam Spam Hoaxes and Scams Hoaxes and

© 2006 Consumer Jungle Malware: Spam, Viruses, Spyware, Phishing, Pharming, Trojans, Worms, Backdoors, and Zombie Computers

2016 SCCE Compliance Ethics Institute...• Viruses – spreads by infecting other programs • Worms – Similar to a virus, but can operate by it’s self • Trojans – Legitimate

Software Security Malware: Trojans, Virii, and Worms

Unified Threat Management (UTM) UTM-5000download.nusoft.com.tw/us_download/technical_document/UTM-500… · UTM Series Unified Threat Management (UTM) UTM-5000 1 Trojans, worms and

Viruses/Worms Software programs designed to invade your computer, and copy, damage, or delete your data. Trojans Viruses that pretend to be helpful programs

YEAR 9 ONLINE SAFETY AND SECURITY. Online safety Phishing Cyberbullying Grooming Viruses Cookies Social networking Worms & trojans

1 CSCD 434 Spring 2012 Lecture 8 Attacks Worms, Trojans, Backdoors

Installing & Maintaining Computer Hardware Anti Virus & Malware · 2019. 11. 25. · Viruses Trojans, Worms, Botnets, E-mail Viruses, Ransomware …. What do the group understand

4-1 Last time Malicious code: Malware Viruses Trojan horses Logic bombs Worms Other malicious code: web bugs

Security Risks Viruses, worms, Trojans Hacking Spyware, phishing Keylogging Online fraud Identity theft DOS (Denial of Service attacks

Week 6 COMMON TYPES OF MALICIOUS CODE. Objectives describe the operation of: Viruses Malware [last week] Spyware [last week] Adware [last week] Trojans

PROTECT YOUR COMPUTER—AND YOUR PRIVACY ......of identity theft victims were attributed to malware (viruses, worms, trojans), spyware, computer hacking and phishing (email fraud).*

Trend Micro deeP disCoveRy - Zonesmedia.zones.com/images/pdf/datasheet_deep-discovery.pdf• data exfiltration • Bots, trojans, worms, keyloggers • disruptive applications KEY

Computer Security - Rutgers Universitypxk/419/exam/old/2017-exam2...(a) Viruses are designed to replicate themselves and worms do not. (b) Viruses are malicious while worms are benign

Viruses, worms, trojans and anti viruses

Ruxcon 2006 - Unpacking Virus, Trojans and Worms

Viruses, Worms and Trojans on mobile phones

Viruses, Trojans, and Worms Prabhaker Mateti. Mateti, Viruses, Trojans and Worms2 Virus Awareness Virus Bulletin Virus Bulletin

What is Computer Security Key Components Levels Challenges Attacks Desktop Security Why it is important Virus/Worms/Trojans Tips Web

How Viruses, Worms and Trojans Work - dFPUG-Portalportal.dfpug.de/dFPUG/Dokumente/...howviruseswork.pdfChapter N: How Viruses, Worms, and Trojans Work 3 A companion virus is one that

Computer Viruses, Trojans and Worms

PowerPoint Presentationcert.umz.ac.ir/uploads/شماره_8_نشریه_مرکز_آپا_مازندران.pdf49.20% Viruses 30.28% Trojans 11.56% worms 4.32% scripts 2.24% Password Trojans

Getting Started Guide - Andover Consulting Group · 2011-03-18 · against viruses, worms, Trojans, spyware programs, peer-to-peer and instant messaging applications, and other malicious

Viruses and Related Threats. 2 Summary have considered: various malicious programs trapdoor, logic bomb, trojan horse, zombie viruses worms

1 CSCD 434 Spring 2014 Lecture 9a Attacks Worms, Trojans, Backdoors

TERMS AND CONDITIONS...2020/12/10  · viruses, trojans, worms, logic bombs or other material which is malicious or technologically harmful. You must not attempt to gain unauthorised

Malware (MALicious softWARE) Malware Taxonomycs.wellesley.edu/~cs342/fall14/lectures/22_viruses_and_worms.pdfDepartment of Computer Science Wellesley College Viruses and Worms Thrursday,

Detecting Malicious Code by Model Checking...J. Kinder, S. Katzenbeisser, C. Schallhart, H. Veith 4/27 E-Mail Worms – Facts • Predominantly variants of existing worms – Currently

Successful Ageing Seminar Cyber Communication · machines running worms, trojans, spam, SMTP mail relays bots (Spambot), DOS (denial of service) and other vulnerabilities. • Several

Virus Primer. Malware Classifications of Malware Classifications of Malware The Classic Virus The Classic Virus Worms Worms Trojans Trojans Other forms

Malware: Malicious Softwarecs.armstrong.edu/rasheed/ITEC2010/Slides7.pdf · Viruses, Worms, Trojans, Rootkits • Malware can be classified into several categories, depending on propagation

Full accounting for verifiable outsourcing · [A2: Analog Malicious Hardware, Yang et al., Oakland16; Stealthy Dopant-Level Trojans, Becker et al., CHES13] But trusted fabrication