correlating low level events to identify high level bot
play

Correlating Low-Level Events To Identify High-Level Bot Behaviors - PowerPoint PPT Presentation

Nov 20, 2022 •333 likes •534 views

Correlating Low-Level Events To Identify High-Level Bot Behaviors Liz Stinson Matt Fredrikson Somesh Jha John Mitchell University of Wisconsin Stanford University Lorenzo Martignoni University of Milan Our anti-inspirations

  1. Correlating Low-Level Events To Identify High-Level Bot Behaviors Liz Stinson Matt Fredrikson Somesh Jha John Mitchell University of Wisconsin Stanford University Lorenzo Martignoni University of Milan

  2. Our anti-inspirations • “Personal firewalls”: identify when an app is Too ambiguous connecting to the network • Host-level methods that inundate us with information (all registry accesses/changes, Too noisy; devoid of meaning file accesses/changes) without providing a higher-level assessment of what’s going on

  3. Problem Statement • >5M “distinct, active” bot-infected machines detected between January - June, 2007 – “active”: carried out at least one attack – Symantec Threat Report, Volume XII • The *best* anti-virus signature scanners fail to detect anywhere from 30% to 50% of malware samples seen in the wild – NB: The best AV scanners may not be who you think they are…

  4. Problematic Asymmetry Malware writers know they have the work(create_sig) >> work(create_variant) advantage here and they exploit it. • AV companies decide which undetected Tens of thousands of novel malware to create sigs for using triage; must malware variants created annually exceed some prevalence threshold

  5. Existing behavior-based detection • Identify simple, mostly stateless “features” May identify incidental , rather (process execution characteristics); e.g. than fundamental behaviors – Which dir(s) does app live in? write to? App = shadow? – App survives reboot? Spawns/terminates other For ML-based approaches, may be processes? Is orphan? Hides? Its image has changed? � Traits malware have adapted to evade AV detect other ways to achieve same end (i.e. ways not included in model) • Statefully scan network packet contents • More general characterizations – Abstract: spyware monitors/reports user actions – Concrete: rootkits that load kernel modules

  6. Broad spectrum. How to evaluate? • How effectively does this method distinguish malicious behavior from benign? • How thoroughly is target behavior captured? • How complex is the identified behavior? • How fundamental is the behavior to the malware’s purpose?

  7. Goals • We want to identify high-level behaviors Sample bot commands – “downloading and executing a program” – “acting like a TCP server” http.execute <URL> <local_path> – “acting like a proxy” harvest.registry <reg_key> redirect <lport> <rhost> <rport> – “leaking sensitive data” startkeylogger • Bot-command-level actions • Via monitoring process execution • Distinguish malicious from benign instances of above by identifying if remotely initiated

  8. tcp connection Example: Acting like a proxy tcp connection

  9. Identifies ordering dependencies Not shown here edge constraints die operations socket duplication intervening irrelevant ops

  10. Including parameters and constraints Constraints can be pre-conditions or post-conditions

  11. tcp_client

  12. We’ll focus on this Refining

  13. (send_buf == recv_buf) • Too constrained; really want to express: the buffer that is sent is derived from a buffer that is received • Augment (add action to): on_match of net_recv set_tainted( recv_buf, sd2 /*taint label*/ ) • Change condition to: tainted( send_buf, sd2 /*taint label*/ )

  14. Modified graph

  15. .redirect <loc_port> <rem_host> <rem_port> Add constraints

  16. “Language” our system exports • Set of high-level primitives that can be combined to describe interesting behaviors – tcp_client , tcp_server , net_send , net_r ecv , create_exec_file , … • Using these, we can detect: – Leak private data (reg key values, file contents, system info, …) – Download and execute a program – Send email – Proxy – Keystroke logging

  17. Challenges • Posed by proprietary-OS environment – Opacity; identifying operations & constraints – Replicating OS semantics • Posed by syscall interposition generally • Posed by hypothetical attempts to evade – Split behavior across processes or across runs of the same application – Expropriate kernel functionality • e.g. raw sockets

  18. Summary � Target the behaviors that make bots useful � Identify the essential ops in those behaviors � Use data-flow analysis info variously � Good initial results against bots o Including: rbot, agobot, dsnxbot, spybot, ... o Use bot commands as inspiration o Resilient to encryption of bot communications � Good initial results against benign progs o When testing against specifications that encode remote-control requirement o Performing user-input tracking

Recommend

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot;

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot;

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot; the human level to the physical level? &quot; the decide level to the action level? MDPs are great, search is great,

676 views • 31 slides
High-level languages High-level languages are not immune to these problems. Actually, the

High-level languages High-level languages are not immune to these problems. Actually, the

High-level languages High-level languages are not immune to these problems. Actually, the situation is even worse: the compiler might reorder/remove/add memory accesses; and then the hardware will do some relaxed execution. p. 1 Constant

512 views • 26 slides
High-level programming on the GPU with Julia Tim Besard (@maleadt) Yet another high-level

High-level programming on the GPU with Julia Tim Besard (@maleadt) Yet another high-level

Just compile it: High-level programming on the GPU with Julia Tim Besard (@maleadt) Yet another high-level language? julia&gt; function mandel(z) c = z Dynamically typed, high-level syntax maxiter = 80 for n = 1:maxiter if abs(z) &gt; 2

953 views • 44 slides
What is a Bro log? 1 What is a Bro log? A stream of

What is a Bro log? 1 What is a Bro log? A stream of

What is a Bro log? 1 What is a Bro log? A stream of high level entries that correspond to lower level events. An HTTP request/reply pair.

749 views • 16 slides
Autonomous Ground Systems CROSS CORRELATING GROUND-LEVEL PANORAMAS WITH SATELLITE IMAGERY FOR

Autonomous Ground Systems CROSS CORRELATING GROUND-LEVEL PANORAMAS WITH SATELLITE IMAGERY FOR

Autonomous Ground Systems CROSS CORRELATING GROUND-LEVEL PANORAMAS WITH SATELLITE IMAGERY FOR GPS-DENIED LOCALIZATION OF AUTONOMOUS GROUND VEHICLES Calvin Cheung Stanley Baek U.S. Army Tank Department of Electrical and Computer Army

397 views • 15 slides
Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

/INFOMOV/ Optimization &amp; Vectorization J. Bikker - Sep-Nov 2016 - Lecture 13: Practical Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and blind stupidity DotCloud: high-level (2)

1.26k views • 51 slides
Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

/INFOMOV/ Optimization &amp; Vectorization J. Bikker - Sep-Nov 2015 - Lecture 10: Practical Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and blind stupidity DotCloud: high-level (2)

440 views • 43 slides
HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem

HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem

HIGH-LEVEL SEARCH: FROM HYPER- HEURISTICS TO ALGORITHM SELECTION MUSTAFA MISIR HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem (~instance), Operates upon perform a search on algorithm space

526 views • 23 slides
Low-Level Memory Optimisations at the High-Level with Ownership-like Annotations Do you want

Low-Level Memory Optimisations at the High-Level with Ownership-like Annotations Do you want

Juliana Franco Martin Hagelin Tobias Wrigstad Sophia Drossopoulou The OHMM framework Low-Level Memory Optimisations at the High-Level with Ownership-like Annotations Do you want fast programs? More cores? More threads? Write better

330 views • 29 slides
UN High UN High UN High UN High- - - -Level Meeting on TB Level Meeting on TB Level Meeting

UN High UN High UN High UN High- - - -Level Meeting on TB Level Meeting on TB Level Meeting

UN High UN High UN High UN High- - - -Level Meeting on TB Level Meeting on TB Level Meeting on TB Level Meeting on TB Berlin, 18 May 2017 Berlin, 18 May 2017 Berlin, 18 May 2017 Berlin, 18 May 2017 Lucica Ditiu and Greg Paton, Stop TB

668 views • 20 slides
Bridging the gap between low level vision and high level tasks

Bridging the gap between low level vision and high level tasks

Bridging the gap between low level vision and high level tasks VALSE 2019-09-18 1 Outline Gated fusion network for single image dehazing , CVPR18 Benchmarks: RESIDE (dehazing), MPID

1k views • 45 slides
High-Level Synthesis Creating Custom Circuits from High-Level Code Hao Zheng Comp Sci &amp; Eng

High-Level Synthesis Creating Custom Circuits from High-Level Code Hao Zheng Comp Sci &amp; Eng

High-Level Synthesis Creating Custom Circuits from High-Level Code Hao Zheng Comp Sci &amp; Eng University of South Florida 1 Existing Design Flow Register-transfer (RT) synthesis Specify RT structure (muxes, registers, etc) Allows

1.29k views • 70 slides
INVESTOR + Second level PRESENTATION Third level Fourth level Fifth level F e b r u

INVESTOR + Second level PRESENTATION Third level Fourth level Fifth level F e b r u

Click to edit Master text styles + INVESTOR + Second level PRESENTATION Third level Fourth level Fifth level F e b r u a r y 2 0 1 8 Forward-looking statement This document contains certain forward-looking statements with

1.12k views • 31 slides
UYR Second level Third level Under Your Radar Fourth level Fifth level

UYR Second level Third level Under Your Radar Fourth level Fifth level

Click to edit Master title style Click to edit Master text styles UYR Second level Third level Under Your Radar Fourth level Fifth level Covert Channel &amp; Exfiltration Ali Hadi / Mariam Khader Princess Sumaya

277 views • 25 slides
Introduction to Python Python: very high level language, has high-level data structures built-in

Introduction to Python Python: very high level language, has high-level data structures built-in

Introduction to Python Python: very high level language, has high-level data structures built-in (such as dynamic arrays and dictionaries). easy to use and learn. Can be used for scripting (instead of Perl, awk), or for general programming.

414 views • 14 slides
How to Sell Process Improvement Second level Third level Fourth level Fifth

How to Sell Process Improvement Second level Third level Fourth level Fifth

Click to edit Master text styles How to Sell Process Improvement Second level Third level Fourth level Fifth level Molly Levy Manager, Developmental Quality Engineering DRS Technologies A Finmeccanica Company DRS

439 views • 20 slides
Defining, Transforming, and Exchanging High-Level Schemas My answer: Any schema above the

Defining, Transforming, and Exchanging High-Level Schemas My answer: Any schema above the

What is a High-Level Schema? Defining, Transforming, and Exchanging High-Level Schemas My answer: Any schema above the statement level A guided journey through the outback I see two distinct levels of abstraction: Presented by Michael W.

430 views • 7 slides
High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language

High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language

High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language Why Learn New Language availability special features porting maintenance more tools required for job cost Why Design a

1.36k views • 54 slides
Scalable Inference and Learning for High-Level Probabilistic Models Guy Van den Broeck KU Leuven

Scalable Inference and Learning for High-Level Probabilistic Models Guy Van den Broeck KU Leuven

Scalable Inference and Learning for High-Level Probabilistic Models Guy Van den Broeck KU Leuven Outline Motivation Why high-level representations? Why high-level reasoning? Intuition: Inference rules Liftability theory:

1.96k views • 152 slides
Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Chapter 15 Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and set values in memory Execute portions of program Stop execution when (and where) desired Want debugging tools to operate on

274 views • 9 slides
High-Level Wrapper for CloudKeeper Architecture Configuration Architecture High-Level Workflow

High-Level Wrapper for CloudKeeper Architecture Configuration Architecture High-Level Workflow

High-Level Wrapper for CloudKeeper Architecture Configuration Architecture High-Level Workflow Abstraction Layer Workflow Service provides pre-configured CloudKeeper environments (in particular, a workflow interpreter) Forked Simple-Module

420 views • 15 slides
Behavioral Perspective Third level Fourth level Fifth level David Anderson, PhD LP

Behavioral Perspective Third level Fourth level Fifth level David Anderson, PhD LP

Click to edit Master text styles Incentive-Based Wellness Programs: Understanding the Rules of the Road Second level Behavioral Perspective Third level Fourth level Fifth level David Anderson, PhD LP Innovations in Workplace

249 views • 10 slides
1 How gates work NOT ( ) NAND ( ) o Transistors can be made to

1 How gates work NOT ( ) NAND ( ) o Transistors can be made to

The digital logic level Bits and Gates ... The digital logic level Level 2 Conventional Machine Level Level 1 Micro Programming Level Computer Science Ground Floor Digitial Logic Level CS240 Computer Organization Department of Computer

83 views • 6 slides
Reconciling High-Level Optimizations and Low-Level Code in LLVM Juneyoung Lee Seoul National

Reconciling High-Level Optimizations and Low-Level Code in LLVM Juneyoung Lee Seoul National

OOPSLA 18 Boston Reconciling High-Level Optimizations and Low-Level Code in LLVM Juneyoung Lee Seoul National Univ. Chung-Kil Hur MPI-SWS Ralf Jung Zhengyang Liu University of Utah John Regehr Nuno P. Lopes Microsoft Research

1.3k views • 127 slides

More recommend