on static malware detection
play

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. - PowerPoint PPT Presentation

Oct 02, 2023 •418 likes •1.34k views

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

  1. On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13

  2. Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware

  3. Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a Malware detection is central computer system used to monitor technical problems in the aircraft was infected with malware important!!

  4. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature

  5. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable

  6. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment

  7. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval

  8. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature Solution: o Easy to get around Check the behavior (not the syntax) of o New variants of viruses with the same behavior cannot be detected by these techniques the program without executing it o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Static Analysis and Model Checking are good candidates

  9. Goal: Static Analysis and Model- checking for malware detection Binary code ╞ Malicious behavior ? Model? Specification formalism? Existing works: use finite automata to model the programs Stack?

  10. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : push L1 L0 : call f L’0: jmp f L1: … L1: … … … … … f : function f f : function f

  11. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system Important to analyse the program’s • Antiviruses determine malware by checking the calls stack to the operating systems. • Virus writers try to hide these calls. L0 : push L1 Solution: L0 : call f L’0: jmp f Use pushdown systems to model L1: … L1: … programs … … … … f : function f f : function f

  12. Pushdown Systems PDS = finite automaton + Stack P =(P, Г , Δ), • P is a finite set of control states • Г is the stack alphabet • Δ ⊆ (P× Г) × (P×Г*) is a finite set of transitions • A configuration is a pair <p,ω> ∈ × Г * P • If <p, α> → <p’,ω> ∈ Δ, then, for every u ∈ Г*, <p, αu> => <p’,ωu>

  13. From Binary Codes to PDSs

  14. Difficulty: mov eax, 1 0 is pushed dec eax It’s non-trival to get onto the stack push eax registers’ values call GetModuleHandleA

  15. Computing Registers’ Values We need an oracle that computes the values of the registers mov eax, 1 eax’s value dec eax is 0 push eax call GetModuleHandleA We use Jakstab [Kinder-Veith 2008] to implement the oracle Jakstab (Java Toolkit for static analysis of binaries) does a kind of constant propagation to determine registers’ values

  16. From Binary Codes to PDSs l 1 : mov eax, 1 l 2 : dec eax g 0 = entry point of l 3 : push eax GetModuleHandeA l 4 : call GetModuleHandleA l 5 : ... Control states of PDS = control points of program Stack alphabet = return addresses+ registers’ values l 1 l 2 Push 0 Push l 5 l 3

  17. Malicious behaviors? Binary code ╞ Malicious behavior ? Specification PDS formalism?

  18. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA mov eax, 0 with 0 as parameter. push eax This returns the entry address of its call GetModuleHandleA own executable. Copy itself to other locations.

  19. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA mov eax, 0 with 0 as parameter. push eax This returns the entry address of its call GetModuleHandleA own executable. Copy itself to other locations. How to describe this specification?

  20. Specification of malicious behaviors? Example: fragment of email worm Avron EX p mov eax, 0 p push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0) ˄ EX ( push(eax) ˄ EX call GetModuleHandleA ) EX p : there is a path where p holds at the next state

  21. Specification of malicious behaviors? Example: fragment of email worm Avron EX p mov eax, 0 p push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0) ˄ EX ( push(eax) ˄ EX call GetModuleHandleA ) ˅ mov(ebx,0) ˄ EX ( push(ebx) ˄ EX call GetModuleHandleA ) ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX call GetModuleHandleA ) ˅ ….. all the other registers EX p : there is a path where p holds at the next state

  22. Specification of malicious behaviors? Example: fragment of email worm Avron EX p mov eax, 0 p push eax call GetModuleHandleA Huge! In CTL (Branching-time temporal logic) : mov(eax,0) ˄ EX ( push(eax) ˄ EX call GetModuleHandleA ) ˅ mov(ebx,0) ˄ EX ( push(ebx) ˄ EX call GetModuleHandleA ) ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX call GetModuleHandleA ) ˅ ….. all the other registers EX p : there is a path where p holds at the next state

  23. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 CTPL = CTL + ∃ , ∀ push eax variables + call GetModuleHandleA In CTL: mov(eax,0) ˄ EX ( push(eax) ˄ EX callGetModuleHandleA ) ˅ mov(ebx,0) ˄ EX ( push(ebx) ˄ EX callGetModuleHandleA ) ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX callGetModuleHandleA ) ˅ ….. all the other registers In CTPL: ᴲ ( mov(r,0) ˄ EX ( push(r) ˄ EX call GetModuleHandleA ) ) r

  24. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 CTPL = CTL + ∃ , ∀ push eax variables + call GetModuleHandleA In CTL: CTPL cannot describe the stack: mov(eax,0) ˄ EX ( push(eax) ˄ EX callGetModuleHandleA ) ˅ needed for malicious behaviors mov(ebx,0) ˄ EX ( push(ebx) ˄ EX callGetModuleHandleA ) description ˅ mov(ecx,0) ˄ EX ( push(ecx) ˄ EX callGetModuleHandleA ) ˅ ….. all the other registers In CTPL: ᴲ ( mov(r,0) ˄ EX ( push(r) ˄ EX call GetModuleHandleA ) ) r

  25. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA mov eax, 0 with 0 as parameter. push eax This returns the entry address of its call GetModuleHandleA own executable. Copy itself to other locations. In CTPL: ᴲ ( mov(r,0) ˄ EX ( push(r) ˄ EX call GetModuleHandleA ) ) r

  26. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA mov eax, 0 with 0 as parameter. push ebx This returns the entry address of its pop ebx own executable. push eax Copy itself to other locations. call GetModuleHandleA In CTPL: ᴲ ( mov(r,0) ˄ EX ( push(r) ˄ EX call GetModuleHandleA ) ) the head of r stack is 0 Our solution: Consider predicates over the stack In SCTPL: EF ( call GetModuleHandleA ˄ 0 Г* ) EF p : there is a path where p holds in the future

  27. SCTPL Logic  ::= b |¬  |  ∧  | EX  | E [  U  ] | EG 

  28. SCTPL Logic  ::= b(y 1 ,…,y n ) |¬  |  ∧  | EX  | E [  U  ] | EG  • y ∈ Y , a set of variables over a finite domain D

  29. SCTPL Logic  ::= b(y 1 ,…,y n ) |¬  |  ∧  | EX  | E [  U  ] | EG  |  y  • y ∈ Y , a set of variables over a finite domain D

Recommend

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/

What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/

What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/ Middlesex University With thanks to David Clark 2011/4/6 L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 1 / 21 Overview

1.3k views • 53 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert Brandon 1 November 2017 2 Malware Detection? Dont AVs do that? Single incidents of malware are now causing millions in damages. Potential

348 views • 19 slides
SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj

SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj

SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj Giovanni Vigna B.S Manjunath Ezeanaka Kingsley CISC850 Cyber Analytics CISC850 Cyber Analytics Abstract Sigmal as a malware detection framework -

454 views • 17 slides
D&amp;D of malware with exotic C&amp;C D&amp;D = Description &amp; Detection C&amp;C = Command

D&amp;D of malware with exotic C&amp;C D&amp;D = Description &amp; Detection C&amp;C = Command

D&amp;D of malware with exotic C&amp;C D&amp;D = Description &amp; Detection C&amp;C = Command &amp; Control Automotive Consumer Energy &amp; Chemicals Paul Rascagneres - @r00tbsd Eric Leblond - @Regiteric D&amp;D of malware with exotic C&amp;C

781 views • 34 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS &amp; Univ. Paris 13

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS &amp; Univ. Paris 13

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS &amp; Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of

1.04k views • 52 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir

Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir

Introduction Mining specifications Detecting malware Results References Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir Touili 2 1 INRIA Rocqencourt 2 LIAFA Univ. Paris 7 November 4, 2013

870 views • 45 slides
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales Shouhuai Xu Ravi Sandhu SEI @ CMU CS @ UTSA ICS @ UTSA Roadmap Motivation Experimental Methodology Experimental Results Summary

560 views • 16 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng,

Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng,

Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng, Feng Li, Xukai Zou, and Jie Wu 1 / 47 Proximity malware Definition. Proximity malware is a malicious program which propagates

618 views • 47 slides
Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris Andrianakis, Kun Sun, and Angelos Stavrou Intro Increase of stealthy malware in enterprises Obfuscation, polymorphic techniques Often uses

766 views • 25 slides
Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements intermission Introduction to Computer Security Middlebox, malware, anonymity combined slides Denial of service and the network Anonymous communications

253 views • 11 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Malware Behavioral Detection by Attribute-Automata using Abstraction from Platform and Language

Malware Behavioral Detection by Attribute-Automata using Abstraction from Platform and Language

Malware Behavioral Detection by Attribute-Automata using Abstraction from Platform and Language JACOB Grgoire 1/2 , DEBAR Herv 1 , FILIOL Eric 2 1 Orange Labs / France Tlcom R&amp;D, Security and Trusted Transactions (MAPS/STT). 2

327 views • 21 slides
Alpha Presentation Next Generation Malware Detection, Clustering and Heuristics The Capstone

Alpha Presentation Next Generation Malware Detection, Clustering and Heuristics The Capstone

Alpha Presentation Next Generation Malware Detection, Clustering and Heuristics The Capstone Experience Team Proofpoint George Zhao Yash Patel Graham Thomas Brad Doherty Crystal Lewis Department of Computer Science and Engineering

761 views • 10 slides
Project Plan Next Generation Malware Detection, Clustering and Heuristics The Capstone

Project Plan Next Generation Malware Detection, Clustering and Heuristics The Capstone

Project Plan Next Generation Malware Detection, Clustering and Heuristics The Capstone Experience Team Proofpoint Crystal Lewis Yash Patel George Zhao Graham Thomas Brad Doherty Department of Computer Science and Engineering Michigan

402 views • 11 slides

More recommend