PE‐Probe: Leveraging Packer Detection and Morphological Information to Detect Malicious Portable Executables Portable Executables M. Zubair Shafiq, S. Momina Tabish, Muddassar Farooq Next Generation Intelligent Networks Research Center (nexGIN RC) National University of Computer and Emer ging Sciences Islamabad, Pakistan http://www.nexginrc.org/ 1
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
PE‐Probe: Leveraging Packer Detection and Morphological p gInformation to Detect Malicious Portable ExecutablesPortable Executables
M. Zubair Shafiq, S. Momina Tabish, Muddassar Farooq
Next Generation Intelligent Networks Research Center (nexGIN RC)National University of Computer and Emerging Sciencesy p g g
Islamabad, Pakistanhttp://www.nexginrc.org/
1
AgendaAgendaProjects’ Introduction
Motivation & Problem Statement
d l i
Motivation & Problem Statement
Proposed Solution
Results
Q/A
2
Its in your Hands, like its inyour Eyes and Face
It is believed that keystrokes of people are distinct from each other just likeare distinct from each other just like their faces, finger prints, and eyes
Doesn’t require any extra hardware for identification
3
User Authentication SystemUser Authentication System
4
IMS Security ChallengesIMS Security Challenges
IP Multimedia Subsystem (IMS)
&Next Generation
Service Delivery PlatformService Delivery Platform
5
Malware DetectionMalware DetectionSignature Based:
Malware DetectionMalware Detection
Malware DetectionMalware Detection
. Detection on the basis of known byte sequences
Signature Signature Non‐SignatureNon‐
Signature
. Unable to detect new malware. Regular updates requiredg
BasedgBased Signature
BasedSignature Based
required
StaticStatic DynamicDynamic Non‐Signature Based:. Detection on the basis of
After‐ExecutionAfter‐
Execution In‐ExecutionIn‐Execution
smarter features. Able to detect new malware
6
ExecutionExecution . Regular updates may not be necessary
Malware DetectionMalware DetectionStatic Detection:
Malware DetectionMalware DetectionStatic Detection:. Detection on the basis of file as residing on secondary storage
Malware DetectionMalware Detection
secondary storage. Prone to techniques such as code‐obfuscationSignature Signature Non‐
SignatureNon‐
SignaturegBasedgBased Signature
BasedSignature Based
Dynamic Detection:. Detection on the basis of run time behavior (a
StaticStatic DynamicDynamic
run‐time behavior (a more direct look). Resilient to techniques such as code obfuscation
After‐ExecutionAfter‐
Execution In‐ExecutionIn‐Execution
7
. High processing overhead
ExecutionExecution
Malware DetectionMalware DetectionMalware DetectionMalware Detection
After‐Execution Detection:. Forensic Analysis
Malware DetectionMalware Detection
Forensic Analysis. Lower processing overhead
Signature Signature Non‐SignatureNon‐
SignaturegBasedgBased Signature
BasedSignature Based
In‐Execution i
StaticStatic DynamicDynamic
Detection:. End user tool. High processing After‐
ExecutionAfter‐
Execution In‐ExecutionIn‐Execution
8
overheadExecutionExecution
MotivationMotivation
9
Motivation(2)Motivation(2)
In Year 2008 Only [11]
•5 491 new software vulnerabilities•5,491 new software vulnerabilities •1.6 million new malware signatures •245 million new attacks 1 T illi d ll i•1 Trillion dollar in revenues
10
Motivation(3)Motivation(3)
Norton AV Command AV McAfee AV
Chernobyl‐1.4 Not detected Not detected Not detected
F0sf0r0 Not detected Not detected Not detected
Hare Not detected Not detected Not detected
Z0mbie 6 b Not detected Not detected Not detectedZ0mbie‐6.b Not detected Not detected Not detected
11
Motivation(4)Motivation(4)
Issues with Commercial Anti‐virus software
•Cannot detect ne mal are•Cannot detect new malware•Size of signature database cannot scaleg•Signatures are evaded by code
bf ti t h i ( h ki )obfuscation techniques (such as packing)
12
Motivation(5)Motivation(5)
Packing of Malware [12]
•50% ne mal are are simpl re packed•50% new malware are simply re‐packed versions of known malware
92% l ki t h i•92% malware use packing techniques
13
Motivation(6)Motivation(6)
Non‐signature based Malware Detection SchemesSchemes
M hi l l d•Machine‐level code•Disassembled codeDisassembled code•Static calls from disassembled code•Run‐time API calls
14
Motivation(7)Motivation(7)
Issues with Non‐signature based Schemes
•High run‐time computational complexityHi h f l l t•High false alarm rates
•Low reliability (e.g. crash, halt, evasion)y ( g , , )
15
Problem Statement
16
P bl St t tProblem Statement
•Non signature based solution•Non‐signature based solution•Low run‐time complexity•Low false alarmsR b t t P ki•Robustness to Packing
•Must not use an unpacker for detectionMust not use an unpacker for detection
17
PE File
MS D S b
PE file Header
MS Dos Stub
PE file HeaderExecutable section
Read‐only sectionExisting non signature based
Writable section
Existing non signature based Schemes are based on this area of PE file
Read/Write section
18
MS DOS t b
PE Signature
MS DOS stub
COFF file Header
Optional HeaderStandard FieldsStandard Fields
Window Specific fieldsData directories
Section Table
Section 1
RVA /
Section 2
Section 3
/Pointe
Section n
ers
19
List of Features from PE fileList of Features from PE file
20
PE MinerPE Miner
21
Architecture of PE-Probe
22
Distribution of Number of standard sections
23
Distribution of Number of entries in Import Address Table
24
Distribution of Entropy of PE Header
25
Architecture of PE-Probe
26
Structural features for non-packed PE files
27
Distribution plot for “major linker version” feature
28
Architecture of PE-Probe
29
KL Divergence of features of packed/non-packed PE files
30
Structural features for packed PE files
31
Results
32
Dataset – Offensive Computing
33
Classification MetricsClassification Metrics
34
Accuracy of PE-Probe
35
The processing overheads in (seconds/file)
J48 NB RIPPER
SMO IBK J48 NB RIPPER
SMOR R
TRAINING TESTINGPE‐ ‐ 0.0008 0.001 0.269 0.199 0.032 0.001 0.002 0.002 0.002Miner(RFR)
PE‐Miner(PCA)
‐ 0.007 0.001 0.264 0.179 0.035 0.001 0.001 0.001 0.002
PE‐Miner(HWT)
‐ 0.007 0.001 0.252 0.147 0.032 0.001 0.002 0.001 0.002
McBoost 0 021 0 004 1 305 1 122 0 218 0 010 0 007 0 005 0 022McBoost ‐ 0.021 0.004 1.305 1.122 0.218 0.010 0.007 0.005 0.022
Strings ‐ 0.009 0.002 0.799 0.838 0.163 0.003 0.003 0.002 0.003
36
Forensic InformationForensic Information
37
PE‐Miner
38
Conficker Detected as aBackdoor
39
Evolvable Malware Framework
40
ConclusionConclusion• PE Structural Information can be leveraged to detect malware
• Packing Robustness
M hi L i Cl ifi l k d• Machine Learning Classifiers can learn packed and non‐packed models
• Robustness and Evasion analysis in accompanying PE‐Miner paper in RAID 2009accompanying PE‐Miner paper in RAID 2009.
• Zero day detection of Conficker
41
ACKNOWLEDGEMENTACKNOWLEDGEMENT
• Special thanks to National ICT R&D for funding this project. p j
42
QUESTIONSQUESTIONS
For further information and research papers, visit http://www.nexginrc.org
43
Related Documents
