session 5 information security northeastern university
play

Session 5: Information Security Northeastern University - PowerPoint PPT Presentation

Jul 18, 2023 •19 likes •669 views

Session 5: Information Security Northeastern University International Secure Systems Lab A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz mkharraz@ccs.neu.edu Disclosure: This research was funded by National Science

  1. Session 5: Information Security

  2. Northeastern University International Secure Systems Lab A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz mkharraz@ccs.neu.edu Disclosure: This research was funded by National Science Foundation and Secure Business Austria

  3. Infecting Victim’s Machine Attachments Drive-by Downloads Malicious binaries

  4. Macro Viruses: An Innocent Looking Word File

  5. By opening the file you might get infected

  6. What is a ransomware attack? 1 Paying the ransom fee Paying the ransom fee Receiving the decryption key 2

  9. Achilles’ Heel of Ransomware • Ransomware has to inform victim that attack has taken place • Ransomware has certain behaviors that are predictable – e.g., entropy changes, modal dialogs and background activity, accessing user files • A good sandbox that looks for some of these signs helps here…

  10. Content Generator User I/O MANAGER Kernel UNVEIL

  11. User I/O MANAGER Kernel UNVEIL

  12. Iteration over files during a CryptoWall attack

  13. Evaluation UNVEIL with unknown samples ~ 1200 malware samples per day 56 UNVEIL-enabled . . . VMs on 8 Servers Ganeti Cluster

  14. Evaluation UNVEIL with unknown samples ● The incoming samples were acquired from the daily malware feed provided by Anubis from March 18 to February 12, 2016. ● The dataset contained 148,223 distinct samples.

  15. Cross-checking with VirusTotal ● The results are concentrated either towards small or very large detection ratios. ● A sample is either detected by a relatively small number, or almost all of the scanners.

  16. Deployment Scenario (Malware Research) Sandbox . . . Malware Dataset Malware Analyst

  17. Deployment Scenario (End-point Solution) ● Running UNVEIL as an augmented service ● UNVEIL supports legacy platforms ● Incurs modest overhead, averaging 2.6% for realistic work loads

  18. Conclusion • Ransomware is a challenging problem – But it has predictable behaviors compared to other malware • UNVEIL introduces concrete models to detect those behaviors – We’ve shown that our detection model is useful in practice • There is definitely room for improvement – We can extend our dynamic systems with functionality tuned towards detecting ransomware

  19. Thank You

  20. INVESTIGATING COMMERCIAL PAY-PER-INSTALL Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-André Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panos Mavrommatis, Niels Provos, Elie Bursztein, Damon McCoy This research was funded by the National Science Foundation and Gifts from Google

  21. Unwanted software Millions of users with symptoms of unwanted software. How was it installed?

  22. Commercial pay-per-install Practice of bundling several additional applications.

  23. Deceptive promotions Users deceived into unintentionally installing unrelated software.

  24. Our work Year-long investigation into the marketplace of bundling: Relationships with unwanted software Deceptive promotional tools Negative impact on users Get the community on board to tackle unwanted software

  25. 1 BEHIND THE SCENES

  26. Pay-per-install affiliate model Advertisers: software developers willing to buy installs.

  27. Pay-per-install affiliate model $$$ Advertisers PPI Network PPI affiliate network: middle-man that create download manager.

  28. Pay-per-install affiliate model Advertisers $$$ $$ PPI Network Publishers Publishers: popular software developers or websites that distribute bundles for a fee.

  29. Pay-per-install affiliate model Advertisers $$$ $$ PPI Network Publishers Decentralized distribution can lend itself to abuse.

  30. 2 MONITORING PPI NETWORKS

  31. Upon launching a PPI bundle... Fingerprint C&C domain system & request offers Report successful installs Optional splash screen post- install

  32. Analysis pipeline

  33. Dataset PPI Network Milking Period Offers Unique Outbrowse Jan 8, 2015 -- Jan, 7, 2016 107,595 584 Amonetize Jan 8, 2015 -- Jan, 7, 2016 231,327 356 InstallMonetizer Jan 11, 2015 -- Jan, 7, 2016 30,349 137 OpenCandy Jan 9, 2015 -- Jan, 7, 2016 77,581 134 Total Jan 8, 2015 -- Jan, 7, 2016 446,852 1,211

  34. 3 ANALYSIS

  35. Most frequent advertisers Brand PPI Networks Days Active Wajam 4 365 Ad Vopackage 3 365 Injectors Youtube Dwnldr 3 365 Eorezo 2 365 Browsefox 4 363 Browser Conduit 3 327 Settings CouponMarvel 1 300 Hijackers Smartbar 3 294 Speedchecker 2 365 Cleanup Uniblue 4 327 OptimizerPro 4 302 Utilities Systweak 3 249

  36. VirusTotal labels 59% of weekly offers flagged by at least 1 AV

  37. Anti-virus detection Advertiser-specified installation criteria avoids hostile AV: (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\Avast')!=0) (g_ami.CheckRegKey(g_hkcu, 'SOFTWARE\\\\Avast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'Software\\\\AVAST Software')!=0) (g_ami.CheckRegKey(g_hkcu, 'Software\\\\AVAST Software')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\Avira')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\Classes\\\\avast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\ESET')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'AppEvents\\\\Schemes\\\\Apps\\\\Avast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SYSTEM\\\\CurrentControlSet\\\\Services\\\\avast! Antivirus ')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Avast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\{C1856559-BA5C-41B7-961C-677E89A2C490}')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\{0D40F91C-41DE-4E06-8B14-ABCCF7A51495}')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE\\\\{8B261394-6C7D-4CFC-A767-E02F34A60D8B}')!=0) HKEY_LOCAL_MACHINE SOFTWARE\\\\OpenVPN HKEY_LOCAL_MACHINE SOFTWARE\\\\VMware,*Inc. HKEY_LOCAL_MACHINE SOFTWARE\\\\Oracle\\\\VirtualBox| 20% of advertisers use some AV/VM detection

  38. Price per install Price ranges $0.10–$1.50

  39. 4 USER IMPACT

  40. Unwanted software warnings

  41. Weekly user warnings 60M warnings every week

  42. 5 DECEPTIVE DISTRIBUTION

  43. Promotional tools

  44. Domain cycling Distribution sites cycle every 1-7 hours

  45. Safe Browsing evasion

  46. Takeaways Unwanted software massive commercial ecosystem: Tens of millions of users affected Pay-per-install primary distribution vector Misaligned incentives for advertisers, publishers

  47. Killed by Proxy: Analyzing Client-end TLS Interception Software Xavier de Carné de Carnavalet and Mohammad Mannan Concordia University, Canada Funding support: Vanier CGS, NSERC, and OPC Original publication: NDSS 2016

  48. HTTPS usage • Secures client-server connection • > half the websites now support HTTPS

  49. Antivirus vs. HTTPS • Both help secure your data/online experience Browser Antivirus Website • AVs also want to guard against web malware • But malware may come via HTTPS

  50. Client-end TLS interception 1. Ad-related products (SuperFish/PrivDog/Komodia) • inject/replace ads 2. Antivirus products • eliminate drive-by downloads, malicious scripts 3. Parental control applications • block access to unwanted websites, hide swear words

  51. Wanted vs. unwanted interception • Unwanted adware can/should be removed • But AVs and parental control apps are – “wanted” – “strongly recommended” or “required”

  52. Our targets • 14 security products in Windows – March and August 2015 • All but one significantly downgrade TLS security

  53. Implications • Attacker must be an active Man-in-the-Middle – Anywhere between a user and website – Target all users of a product vs. selective users – No admin privilege is needed • Can impersonate a server • Can extract secrets e.g., authentication cookies • Design flaws – not software bugs

  55. Our test framework Hybrid test framework: adapt existing + custom tests 1. Private key protection 2. Certificate validation 3. Cipher suites & protocols 4. Transparency

  56. Root certificate and private key • Pre-generated certificates (2/14) • Proxies accept own certificates (12*/12) • User-readable private keys (9/14) • Root cert. not removed after uninstallation (8/14) • Certificates are valid, on average, for 10 years

  57. Site certificate validation • No validation (3/12) • Improper signature verification (1/12) • Accept weak primitives: MD5 (9/12), RSA 512 (7/12) • No revocation check (9/12) • Custom CA store (3/12): DigiNotar+CNNIC; Mozilla Trusted CAs from 2009; One RSA 512 root CA

  58. Protocol, cipher suites and attacks • SSL 3.0 support (6/12), no support for TLS 1.1+ (6/12) • Weak cipher suites: RC4 and MD5 (10/12) • Proxies vulnerable to known attacks: Insecure Renegotiation (1), BEAST (7), CRIME (1), FREAK (5), Logjam (3)

Recommend

Alexandru Suciu Northeastern University Session on the Geometry and Topology of Differentiable

Alexandru Suciu Northeastern University Session on the Geometry and Topology of Differentiable

T OPOLOGY OF COMPLEX ARRANGEMENTS Alexandru Suciu Northeastern University Session on the Geometry and Topology of Differentiable Manifolds and Algebraic Varieties The Eighth Congress of Romanian Mathematicians Ia si, Romania, June 30, 2015

510 views • 23 slides
Network Security: Public Key Infrastructure Guevara Noubir Northeastern University

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University noubir@ccs.neu.edu CSG254: Network Security Slides adapted from Radia Perlmans slides Key Distribution - Secret Keys What if there are millions of users

706 views • 41 slides
Network Security: Public Key Infrastructure Guevara Noubir Northeastern University

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University noubir@ccs.neu.edu Network Security Slides adapted from Radia Perlmans slides Key Distribution - Secret Keys What if there are millions of users and

624 views • 14 slides
Email Security Guevara Noubir Network Security Northeastern

Email Security Guevara Noubir Network Security Northeastern

Email Security Guevara Noubir Network Security Northeastern University Email Security 1 Email One of the most widely used applica>ons of the

360 views • 14 slides
Alex Suciu Northeastern University Special Session Advances in Arrangement Theory Mathematical

Alex Suciu Northeastern University Special Session Advances in Arrangement Theory Mathematical

A RRANGEMENT COMPLEMENTS AND M ILNOR FIBRATIONS Alex Suciu Northeastern University Special Session Advances in Arrangement Theory Mathematical Congress of the Americas Montral, Canada July 25, 2017 A LEX S UCIU (N ORTHEASTERN ) A RRANGEMENT

593 views • 17 slides
Basic Tools & Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu Counter

Basic Tools & Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu Counter

Practical Network Security: Basic Tools & Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu Counter Hack Reloaded, Ed Skoudis, 2005, Prentice-Hall. Threats to Communication Networks Security was an add-on to many network

456 views • 10 slides
Practical Network Security: Basic Tools & Techniques Guevara Noubir Northeastern University

Practical Network Security: Basic Tools & Techniques Guevara Noubir Northeastern University

Practical Network Security: Basic Tools & Techniques Guevara Noubir Northeastern University noubir@ccs.neu.edu G. Noubir Tools 1 1 Lesson Outcomes: you need to be able to Describe and discuss the various security threats to

1.04k views • 39 slides
Wireless and Mobile Security -- an introduction Guevara Noubir Northeastern University

Wireless and Mobile Security -- an introduction Guevara Noubir Northeastern University

Wireless and Mobile Security -- an introduction Guevara Noubir Northeastern University noubir@ccs.neu.edu Outline Introduction to the topics Structure of lectures Logistics G. Noubir 2 Wireless Communications Key technology

222 views • 10 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Northeastern University 815 Columbus Avenue Northeastern EXP is a nine-story, 350,000-square-foot

Northeastern University 815 Columbus Avenue Northeastern EXP is a nine-story, 350,000-square-foot

Boston Employment Commission Presentation September 16, 2020 Northeastern University 815 Columbus Avenue Northeastern EXP is a nine-story, 350,000-square-foot research center on Columbus Avenue. This preliminary rendering shows a facility that

776 views • 16 slides
1 Terminology Security services: Authentication, confidentiality, integrity,

1 Terminology Security services: Authentication, confidentiality, integrity,

Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir Northeastern University noubir@ccs.neu.edu Network Security: Private Communication in a Public World [Chap. 2-8] Charles Kaufman, Mike Speciner, Radia

454 views • 20 slides
Information Security Collaboration Tom Dugas, Director of Information Security @ Duquesne

Information Security Collaboration Tom Dugas, Director of Information Security @ Duquesne

Information Security Collaboration Tom Dugas, Director of Information Security @ Duquesne University Maureen Bertocci, Director of Information Security @ Robert Morris University What is C-CUE C-CUE is a Western-PA regional association of

433 views • 11 slides
INFORMATION SECURITY A DAY IN THE LIFE WHO AM I? Security officer for MIE CISSP , CISA,

INFORMATION SECURITY A DAY IN THE LIFE WHO AM I? Security officer for MIE CISSP , CISA,

INFORMATION SECURITY A DAY IN THE LIFE WHO AM I? Security officer for MIE CISSP , CISA, CGEIT, CRISC, CRMA, PMP , FLMI and studying for CISM RMR and JA Interactive session share stories THREAT SOURCES Nation States

491 views • 26 slides
Reinforcement Learning Rob Platt Northeastern University Some images and slides are used from:

Reinforcement Learning Rob Platt Northeastern University Some images and slides are used from:

Reinforcement Learning Rob Platt Northeastern University Some images and slides are used from: AIMA CS188 UC Berkeley Reinforcement Learning (RL) Previous session discussed sequential decision making problems where the transition model and

609 views • 58 slides
Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems Lab 3 Review on CSRF & Path Traversal Hacker Wall of Fame (Lab 3 members in italics) Jacob Buckheit (2x) Jenny Zhu Ti ff any Chen

238 views • 13 slides
Lunch & Learn May 19, 2016 Northeastern University AGENDA Staffing Update Internal

Lunch & Learn May 19, 2016 Northeastern University AGENDA Staffing Update Internal

Northeastern University Research Administration Lunch & Learn May 19, 2016 Northeastern University AGENDA Staffing Update Internal Deadline Reminder CITI Clarification Award Budget Obligation Template Funding Agency Updates Forms

182 views • 14 slides
Towards Practical ORAM Guevara Noubir College of Computer and Information Science Northeastern

Towards Practical ORAM Guevara Noubir College of Computer and Information Science Northeastern

Towards Practical ORAM Guevara Noubir College of Computer and Information Science Northeastern University, Boston, MA noubir@ccs.neu.edu 1 Outline Motivation Model Original Papers [1987 - 1996] Square root ORAM &

1.06k views • 77 slides
Madeline Brambilla Northeastern University Massachusetts Breast Cancer Coalition & Silent

Madeline Brambilla Northeastern University Massachusetts Breast Cancer Coalition & Silent

Madeline Brambilla Northeastern University Massachusetts Breast Cancer Coalition & Silent Spring Institute Northeastern University PlusOne Program MA expected September 2013 - Environmental Sociology Research Assistant at the

274 views • 8 slides
MSP430 Clock System and Timer College of Computer and Information Science , Northeastern

MSP430 Clock System and Timer College of Computer and Information Science , Northeastern

MSP430 Clock System and Timer College of Computer and Information Science , Northeastern University References: Texas Instruments, MSP430x1xx Family Users Guide Texas Instruments, MSP430x15x, MSP430x16x, MSP430x161x MIXED SIGNAL

361 views • 22 slides
American Philhellenes Society Northeastern Illinois University May 15, 2012 Ladies and

American Philhellenes Society Northeastern Illinois University May 15, 2012 Ladies and

American Philhellenes Society Northeastern Illinois University May 15, 2012 Ladies and Gentlemen, I feel especially honored to address such a distinguished audience here in Chicago. My warmest thanks to the Authorities of Northeastern

416 views • 23 slides
Lunch & Learn March 22, 2015 Northeastern University Reimagining RA: Update on RA Initiatives

Lunch & Learn March 22, 2015 Northeastern University Reimagining RA: Update on RA Initiatives

Northeastern University Research Administration Lunch & Learn March 22, 2015 Northeastern University Reimagining RA: Update on RA Initiatives ORAF Website Refresh - Survey e PAWS Update e -Clinics RA Boot Camp Award Setup SOP

513 views • 15 slides
Software Security Information Security Prof Hans Georg Schaathun University of Surrey/lesund

Software Security Information Security Prof Hans Georg Schaathun University of Surrey/lesund

Software Security Information Security Prof Hans Georg Schaathun University of Surrey/lesund University College Autumn 2011 Week 12 Prof Hans Georg Schaathun Software Security Autumn 2011 Week 12 1 / 1 The session Outline Prof

1.06k views • 93 slides
So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security Officer Background Personal Starion Bank Arts Goals Highlight the typical responsibilities of an Information Security Officer from

778 views • 22 slides
Computer and Information Security Fall 2019 Endpoint security Tyler Bletsch Duke University

Computer and Information Security Fall 2019 Endpoint security Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2019 Endpoint security Tyler Bletsch Duke University Overview How do you configure endpoints for better security? 1. Updates 2. Correct settings 3. Reduce attack surface 4. Limit privilege 5.

477 views • 19 slides

More recommend