Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani Comparetti @ TU Vienna Christopher Kruegel @ UCSB Engin Kirda @ Institute Eurecom Xiaoyong Zhou, XiaoFeng Wang @ Indiana Univ. at Bloominton 1 USENIX Security Symposium ‘09
26
Embed
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani Comparetti @ TU Vienna Christopher Kruegel @ UCSB Engin Kirda.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Effective and Efficient Malware Detection at the End Host
Clemens Kolbitsch, Paolo Milani Comparetti @ TU ViennaChristopher Kruegel @ UCSB
Engin Kirda @ Institute EurecomXiaoyong Zhou, XiaoFeng Wang @ Indiana Univ. at Bloominton
USENIX Security Symposium ‘09
2
Outline
• Motivation• System Overview• System Details• Evaluation• Limitation• Conclution
3
MOTIVATIONEffectiveness & Efficiency
4
Motivation
• Efficiency– Binary signature based detection– Network-based detection
• Effectiveness– Behavior-based detection• Detection based on malware's behavior• Behavior is hard to obfuscate• Behavior is hard to randomize• Behavior is often stable across various malware version
5
Motivation
• This Paper proposes…– A behavior-based solution with Efficiency– For end hosts
6
SYSTEM OVERVIEWModeling Behaviors and Making detection efficient
7
System Overview
• Malware behaviors– Manifest on system (i.e., survive reboot)
• (Over-) write system executables, dlls, files• Create registry entries• Register as Windows (startup) service
– Conceal from being detected• Restart under some stealthy name (e.g., svchost.exe)• Inject into legitimate processes
– Replicate• Send emails• Copy to Samba shares, USB drives, etc.• Scan and exploit services on LAN or WAN
8
System Overview
• Detection based on execution characteristics– Execute malware in full system emulator (Anubis)– Monitor interaction with the operating system– Perform detailed taint analysis– Generate detection graphs
• Describe sequence of required system calls leading to security relevant system activity
• Include dependencies to related, previous calls (using taint dependencies)
• Detect described behavior on end host– Log system call activity of unknown executable– Match against behavior graph
9
System Overview
• Example: Agent (trojan)• As part of its system manifestation, it– Reads content from binary image– Decrypts binary content
• Proprietary decryption routine• Simple, XOR based algorithm
– Stores binary in system file (C:\Windows\system32\drivers\ip6fw.sys)
– Later, restarts IPv6 firewall• Turns itself into a system service