logging in or signing up Lab Sem2 aSGuest29952 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 49 Category: Science & Tech.. License: All Rights Reserved Like it (0) Dislike it (0) Added: October 31, 2009 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Type of Malware Detection : Type of Malware Detection V. Sai Sathyanarayan, Pankaj Kohli, and Bezawada Bruhadeshwar Centre for Security, Theory and Algorithmic Research (C-STAR) International Institute of Information Technology Hyderabad - 500032, India Lab Seminar on Oct. 29th Munkhbayar Bat-Erdene 1 Contents : Contents Static Analysis of Executables to Detect Malicious Patterns (SAFE) Approach of SAFE Prototype Implementation Details Experimental Analysis Effectiveness Performance Testing Conclusion 2 Introduction : Introduction Malware detection and prevention is critical for the protection of computing systems across the Internet. The problem in detecting malware is that they evolve over a period of time and hence, traditional signature-based malware detectors fail to detect obfuscated and previously unseen malware executables. 3 Approach (접근) : Approach (접근) This papers Approach for Malware Detection First ,this approach for malware signature generation and classification. Next, describe our program behavior model used for signature generation and the statistical comparison technique. Then, we present our malware detection algorithm using our program behavior model. Finally, describe our prototype implementation in detail and show a sample signature of a malware extracted using our approach. 4 Slide 5: Fig. 1. Architecture of malware detector 5 Approach : Approach Malware Signature Generation and Classification Approach To create signatures based on the characteristics of an entire malware class rather than a single sample of malware. Malware classes are defined based on similar behavior. The behavior of a malware class can be specified based on the API calls that the members of the malware calls use. Rather than considering only critical API calls . Critical API calls include all API calls. 6 Malware Behavior Profiling : Malware Behavior Profiling Malicious programs exhibit a behavior that can be distinguished from behavior of benign programs. The signature for a malware class is based on the frequency of critical API calls. To detect malware, we measure the difference between the proportions of the critical API calls in a signature and that of a test program using Chi-square test. 7 Malware Behavior Profiling (cont) : Malware Behavior Profiling (cont) Chi-square test is a likelihood-ratio or maximum likelihood statistical significance test that measures the difference between proportions in two independent samples. Oi -is the observed frequency of the ith critical API call in the test file Ei - is its expected frequency Χ2 - is compared against a threshold value є from a standard Chi-square distribution table with one degree of freedom. 8 Malware Behavior Profiling (cont) : Malware Behavior Profiling (cont) This means that 95% of the time we expect χ2 to be less than or equal to є. For one degree of freedom and significance level 0.05, є = 3.84. To define a degree of membership λ as 9 Degree of membership λ is a measure of belongingness of test file to a malware class. Malware Behavior Profiling (cont) : Malware Behavior Profiling (cont) 10 Signature Generation : Signature Generation Ri = {P1i,P2i,...,Pmi} be the set of profiles of samples in malware class Mi The signature vector Si for the malware class Mi is then defined as the set of the mean frequency of every critical API call occurring in Mi 11 Signature Generation (cont) : Signature Generation (cont) This signature vector is then tested against samples T = {T1, T2, . . . , Tk} known to belong to the same malware class Mi using the statistical analysis. Here define a threshold δ as 12 Here λ is the outcome of a statistical analysis test. This signature Si and threshold δi is computed for every malware class Mi. Classification Strategy : Classification Strategy Let P be the profile obtained from a test file T. Let Si be a signature for the malware class Mi, and δi be the corresponding degree of membership. Let B be the benign set and t be the total number of malware classes. 13 Classification Strategy (cont) : Classification Strategy (cont) 14 Classification Strategy (cont) : Classification Strategy (cont) A false positive occurs when a benign program is classified as malicious. A false positive for a signature Si is defined as the probability 15 A false negative occurs when a malicious program is classified as benign. For a specific malware class Mi and signature Si, this is defined as Classification Strategy (cont) : Classification Strategy (cont) 16 Prototype Implementation Details : Prototype Implementation Details Our implementation is written for malware on Win32 platform and it consists of two components -API call: Extractor Classifier 17 API Call Extractor The API Call Extractor component is implemented as a plugin to the IDA Pro Disassembler. It begins by locating the .idata segment which is an EXTERN segment that contains list of addresses of API functions imported by the PE file. Slide 18: For each address in the .idata segment, it retrieves the corresponding API function name and its set of cross-references. 18 Slide 19: Classifier The classifier reads the entire set of profiles produced by the API call extractor for each malware class and produces a signature. 19 Effectiveness : Effectiveness Testing on new variants For each malware family, we used two earliest possible variants to construct the signature and the rest for testing the signature. We tested our approach on the following malware families: MyDoom(30 variants), Bifrose (18 variants), Agent (14 variants), Delf(13 variants), InvictusDLL (13 variants), Netsky (10 variants), Bagle (9 variants) Chiton (19 variants) This approach was able to detect all variants in the above malware families except one variant in Netsky family. The detailed results are presented in Table 1 and 2. 20 Slide 21: 21 Slide 22: 22 Effectiveness : Effectiveness Testing on generic malware classes To test the effectiveness of our detection method and to identify potential false negatives, we gathered 800 malicious programs in Portable Executable (PE) format. 23 Slide 24: We found that several benign programs share behavior (for instance, searching files, copying files to network drives etc.) with certain malicious programs. The observed false positive rate is due to such shared behavior. 24 Performance Testing : Performance Testing We consider the time taken by our approach to extract the API calls and to classify it as malicious or benign. We compare our approach to SAFE SAFE creates an abstraction pattern of the malicious code and converts it into an internal representation. 25 Conclusion : Conclusion A method to generate signatures for malware classes to detect previously unknown malicious programs. Rather than creating a new signature for every variant in a malware family, it creates a single signature that reflects the behavior of the entire family. Also, it is able to detect malicious programs with common obfuscations, a problem which the commercial antivirus scanners being used today do not address. 26 Conclusion (cont) : Conclusion (cont) Malware authors often tend to pack malware in order to evade detection and to make analysis difficult. Such malware use a decompression or decryption routine to extract the compressed or encrypted malicious code in memory. 27 Thank you for your time : Thank you for your time 28 You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Lab Sem2 aSGuest29952 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 49 Category: Science & Tech.. License: All Rights Reserved Like it (0) Dislike it (0) Added: October 31, 2009 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Type of Malware Detection : Type of Malware Detection V. Sai Sathyanarayan, Pankaj Kohli, and Bezawada Bruhadeshwar Centre for Security, Theory and Algorithmic Research (C-STAR) International Institute of Information Technology Hyderabad - 500032, India Lab Seminar on Oct. 29th Munkhbayar Bat-Erdene 1 Contents : Contents Static Analysis of Executables to Detect Malicious Patterns (SAFE) Approach of SAFE Prototype Implementation Details Experimental Analysis Effectiveness Performance Testing Conclusion 2 Introduction : Introduction Malware detection and prevention is critical for the protection of computing systems across the Internet. The problem in detecting malware is that they evolve over a period of time and hence, traditional signature-based malware detectors fail to detect obfuscated and previously unseen malware executables. 3 Approach (접근) : Approach (접근) This papers Approach for Malware Detection First ,this approach for malware signature generation and classification. Next, describe our program behavior model used for signature generation and the statistical comparison technique. Then, we present our malware detection algorithm using our program behavior model. Finally, describe our prototype implementation in detail and show a sample signature of a malware extracted using our approach. 4 Slide 5: Fig. 1. Architecture of malware detector 5 Approach : Approach Malware Signature Generation and Classification Approach To create signatures based on the characteristics of an entire malware class rather than a single sample of malware. Malware classes are defined based on similar behavior. The behavior of a malware class can be specified based on the API calls that the members of the malware calls use. Rather than considering only critical API calls . Critical API calls include all API calls. 6 Malware Behavior Profiling : Malware Behavior Profiling Malicious programs exhibit a behavior that can be distinguished from behavior of benign programs. The signature for a malware class is based on the frequency of critical API calls. To detect malware, we measure the difference between the proportions of the critical API calls in a signature and that of a test program using Chi-square test. 7 Malware Behavior Profiling (cont) : Malware Behavior Profiling (cont) Chi-square test is a likelihood-ratio or maximum likelihood statistical significance test that measures the difference between proportions in two independent samples. Oi -is the observed frequency of the ith critical API call in the test file Ei - is its expected frequency Χ2 - is compared against a threshold value є from a standard Chi-square distribution table with one degree of freedom. 8 Malware Behavior Profiling (cont) : Malware Behavior Profiling (cont) This means that 95% of the time we expect χ2 to be less than or equal to є. For one degree of freedom and significance level 0.05, є = 3.84. To define a degree of membership λ as 9 Degree of membership λ is a measure of belongingness of test file to a malware class. Malware Behavior Profiling (cont) : Malware Behavior Profiling (cont) 10 Signature Generation : Signature Generation Ri = {P1i,P2i,...,Pmi} be the set of profiles of samples in malware class Mi The signature vector Si for the malware class Mi is then defined as the set of the mean frequency of every critical API call occurring in Mi 11 Signature Generation (cont) : Signature Generation (cont) This signature vector is then tested against samples T = {T1, T2, . . . , Tk} known to belong to the same malware class Mi using the statistical analysis. Here define a threshold δ as 12 Here λ is the outcome of a statistical analysis test. This signature Si and threshold δi is computed for every malware class Mi. Classification Strategy : Classification Strategy Let P be the profile obtained from a test file T. Let Si be a signature for the malware class Mi, and δi be the corresponding degree of membership. Let B be the benign set and t be the total number of malware classes. 13 Classification Strategy (cont) : Classification Strategy (cont) 14 Classification Strategy (cont) : Classification Strategy (cont) A false positive occurs when a benign program is classified as malicious. A false positive for a signature Si is defined as the probability 15 A false negative occurs when a malicious program is classified as benign. For a specific malware class Mi and signature Si, this is defined as Classification Strategy (cont) : Classification Strategy (cont) 16 Prototype Implementation Details : Prototype Implementation Details Our implementation is written for malware on Win32 platform and it consists of two components -API call: Extractor Classifier 17 API Call Extractor The API Call Extractor component is implemented as a plugin to the IDA Pro Disassembler. It begins by locating the .idata segment which is an EXTERN segment that contains list of addresses of API functions imported by the PE file. Slide 18: For each address in the .idata segment, it retrieves the corresponding API function name and its set of cross-references. 18 Slide 19: Classifier The classifier reads the entire set of profiles produced by the API call extractor for each malware class and produces a signature. 19 Effectiveness : Effectiveness Testing on new variants For each malware family, we used two earliest possible variants to construct the signature and the rest for testing the signature. We tested our approach on the following malware families: MyDoom(30 variants), Bifrose (18 variants), Agent (14 variants), Delf(13 variants), InvictusDLL (13 variants), Netsky (10 variants), Bagle (9 variants) Chiton (19 variants) This approach was able to detect all variants in the above malware families except one variant in Netsky family. The detailed results are presented in Table 1 and 2. 20 Slide 21: 21 Slide 22: 22 Effectiveness : Effectiveness Testing on generic malware classes To test the effectiveness of our detection method and to identify potential false negatives, we gathered 800 malicious programs in Portable Executable (PE) format. 23 Slide 24: We found that several benign programs share behavior (for instance, searching files, copying files to network drives etc.) with certain malicious programs. The observed false positive rate is due to such shared behavior. 24 Performance Testing : Performance Testing We consider the time taken by our approach to extract the API calls and to classify it as malicious or benign. We compare our approach to SAFE SAFE creates an abstraction pattern of the malicious code and converts it into an internal representation. 25 Conclusion : Conclusion A method to generate signatures for malware classes to detect previously unknown malicious programs. Rather than creating a new signature for every variant in a malware family, it creates a single signature that reflects the behavior of the entire family. Also, it is able to detect malicious programs with common obfuscations, a problem which the commercial antivirus scanners being used today do not address. 26 Conclusion (cont) : Conclusion (cont) Malware authors often tend to pack malware in order to evade detection and to make analysis difficult. Such malware use a decompression or decryption routine to extract the compressed or encrypted malicious code in memory. 27 Thank you for your time : Thank you for your time 28