Reactively Adaptive Malware
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

FEARLESS engineering PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on
  • Presentation posted in: General

Reactively Adaptive Malware What is it? How do we detect it? Dr. Bhavani Thuraisingham Cyber Security Research and Education Institute https://csi.utdallas.edu The University of Texas at Dallas April 19, 2013. FEARLESS engineering. Outline. Analogies Malware: What is it? Our Solutions

Download Presentation

FEARLESS engineering

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Fearless engineering

Reactively Adaptive MalwareWhat is it?How do we detect it?Dr. Bhavani ThuraisinghamCyber Security Research and Education Institutehttps://csi.utdallas.eduThe University of Texas at DallasApril 19, 2013

FEARLESS engineering


Outline

Outline

  • Analogies

  • Malware: What is it?

  • Our Solutions

    • Profs. Thuraisingham, Khan, Hamlen, Lin, Makris, Cardenas, Kantarcioglu

  • Directions

    • Holistic Interdisciplinary Treatment


Analogies the human body

Analogies: The Human Body

  • Humans infected with virus and bacteria

  • Virus replicates itself and spreads throughout the body

  • Attacks vital organs

  • Doctor conducts tests and detects the problem

  • Medicine is given to slow the progress of the disease

  • Patient’s condition may improve or the patient may die


Analogies an organization

Analogies: An Organization

  • Bad person joins the organization and pretends to be a good person

  • He/she monitors what is going on and spies on the organization

  • Conveys vital information to the adversary – insider threat

  • Builds a network of bad people

  • Takes over the organization


What is a malware

What is a Malware?

  • It’s a piece of software that is malicious and carries out bad things

  • It infects a vulnerable and neglected machine

  • It attacks the various components of the machine– the operating system (vital organs), applications (limbs) and hardware (bone)

  • It spreads across a network of machines

  • It cripples the machines and the network

  • It conveys vital information to the enemy – the hacker

  • It takes over the network and carries out its agenda

Victim Network


Fearless engineering

What does it look like?

Example: Melissa Virus

March 26, 1999


The virus antivirus arms race

The Virus-Antivirus Arms Race

  • Malware (e.g., viruses)

    • Rogue programs that carry out malicious actions on victim machines

      • Vandalism (delete files, carry out phishing scams, etc.)

      • reconnaissance & secret exfiltration (cyber-warfare / hacktivism)

      • Sabotage (e.g., attacks against power grids)

    • Randomly mutate themselves automatically as they propagate

      • Harder to detect since no two samples look identical

  • Antivirus defenses

    • Defenders manually reverse-engineer many malware samples

    • Find mutation patterns

    • Build defenses to automatically detect & quarantine all mutants

FEARLESS engineering


Incidents reported 1990 2001

Incidents Reported 1990-2001

Everything changed with Code Red attack in 2001


Problem is much worse now

Problem is much worse now!


Our malware team

Our Malware Team

Data Mining Solutions

for Malware

Professor Latifur Khan

Reactively Adaptive Malware

and Solutions

Professor Kevin Hamlen

Android Malware and

Solutions

Professor Zhiqiang Lin

Hardware Malware

and Solutions

Professor Yiorgos Makris

Adversarial Mining Solutions

Professor Murat Kantarcioglu

Smart Grid Malware

and Solutions

Professor Alvaro Cardenas


Data mining solutions

Data Mining

Knowledge Discovery

in Databases

Data Pattern Processing

Knowledge Extraction

The process of discovering meaningful new correlations, patterns, trends and nuggets by sifting through large amounts of attack data, often previously unknown, using pattern recognition technologies and machine learning statistical and mathematical techniques.

Data Mining Solutions

Thuraisingham, Data Mining: Technologies, Techniques, Tools and Trends, CRC Press 1998

FEARLESS engineering


Training and testing

Training and Testing

  • Extract features

    • Binary n-gram features

    • Assembly n-gram features

Enhancements

to current

data mining

approaches

Hierarchical

Clustering

(DGSOT)

Data Mining

Classification

Model

Training

Testing

Training

Data

Good

Class

Bad

Class

DGSOT: Dynamically Growing Self-Organizing Tree

Our novel solution

Testing Data

  • Supported by US Air Force 2005-2008

    • PI: Thuraisingham, Co-PI: Khan

FEARLESS engineering


Report results example

Report Results: Example

  • HFS = Hybrid Feature Set (Binary and Assembly)

  • BFS = Binary Feature Set

  • AFS = Assembly Feature Set

FEARLESS engineering


Reactively adaptive malware what is it

Reactively Adaptive Malware: What is it?

  • Next-generation Malware Technology

    • Malware that mutates NON-randomly

    • LEARNS and ADAPTS to antivirus defenses fully automatically in the wild

    • Immune to conventional antivirus defenses

    • Supported by the U.S. Air Force; 2010-2013

      • PI: Hamlen, Co-PI: Khan

FEARLESS engineering


Data mining based anti antivirus hamlen khan

Data Mining-based Anti-antivirus[Hamlen & Khan]

Signature Approximation Model

Signature Inference Engine

Obfuscation Generation

Antivirus Signature Database

Signature Query Interface

Obfuscated Binary

Obfuscation Function

Malware Binary

Testing

propagate


Frankenstein mohan hamlen usenix woot 2012

“Frankenstein”[Mohan & Hamlen, USENIX WOOT, 2012]

  • Stitch together code harvested from benign binaries to re-implement malware on each propagation.

  • Many offensive advantages:

    • resulting malware is 100% metamorphic

      • no common features between mutants

    • statistically indistinguishable from benign-ware

      • everything is plaintext code (no cyphertexts)

    • no runtime unpacking

      • evades write-then-execute protections

    • obfuscation is targeted and directed

      • evolves to match infected system’s notion of “benign”

FEARLESS engineering


Frankenstein press coverage

Frankenstein Press Coverage

  • Presented at USENIX Offensive Technologies (WOOT) mid-August 2012

  • Thousands of news stories in August/September

    • The Economist, New Scientist, NBC News, Wired UK, The Verge, Huffington Post, Live Science, …

FEARLESS engineering


Solution we are exploring snodmal stream based novel class detection

Solution we are exploring: SNODMAL Stream Based Novel Class Detection

D1

D2

D5

D3

D4

C5

C4

C3

C2

C1

Prediction

Note: Di may contain data points from different classes

D5

D6

D4

Labeled chunk

Data chunks

Unlabeled chunk

Addresses infinite length

and concept-drift

C5

C4

Classifiers

C1

C2

C4

C3

C5

Ensemble

FEARLESS engineering

  • Divide the data stream into equal sized chunks

    • Train a classifier from each data chunk

    • Keep the best L such classifier-ensemble


Smartphones can also be infected with malware

Smartphones can also beinfected with malware!

FEARLESS engineering


Our solution combine static analysis with dynamic analysis

Our Solution – Combine Static Analysis with Dynamic Analysis

Remote Server

  • Static Analysis

    • Data mining solutions

  • Dynamic Analysis

    • Platform

    • Android & I-Phone

    • Reverse engineering

  • Level

    • System call

    • Operating systems

    • Network

  • Supported by US Air Force 2012-2016

    • Technical Leads Lin and Khan

  • Network Behavior

    Mal App

    App Behavior

    FEARLESS engineering


    We cannot forget about hardware do you trust your chips

    3500 counterfeit Cisco networking components recovered

    The Hunt for the Kill Switch

    Adee, IEEE Spectrum, 2008

    We cannot forget about HardwareDo you Trust Your Chips?

    Yiorgos Makris([email protected])

    Research Supported by:

    The Hacker in Your Hardware,

    Villasenor, Scientific American 2010

    2012 Phobos-Grunt Mission Fails Due to Counterfeit Non Space-Rated Chips


    Our solution to hardware trojan

    Our Solution to Hardware Trojan

    FEARLESS engineering


    That s not all attacks to critical infrastructures

    That’s not all – Attacks to Critical Infrastructures

    • Attacks

      • Maroochy Shire 2000

    • Threats

    Obama administration

    demonstrates attack to

    power grid in Feb. 2012

    • HVAC 2012

    • Stuxnet 2010

    • Smart Meters 2012

    DHS and INL study impact of cyber-attacks on generator

    FEARLESS engineering


    New attack detection mechanisms by incorporating physical constraints of the system

    New Attack-Detection Mechanisms by Incorporating “Physical Constraints” of the System

    • 1st Step: Model the Physical World

    • 2nd Step: Detect Attacks

      • Compare received signal from expected signal

    Physical World

    Model

    System of

    Differential Equations

    • 3rd Step: Response to Attacks

    • 4th Step: Security Analysis

      • Missed Detections

        • Study stealthy attacks

      • False Positives

        • Ensure safety of automated response

    • [Alvaro Cárdenas, et.al. AsiaCCS, 2011]

    FEARLESS engineering


    It never ends we need to mine the adversary

    It never ends!We need to mine the adversary

    • Adversary changes its behavior to avoid being detected

    • Data Miner and the Adversary are playing games

    • Remember, malware detection is a two class problem?

      • Good class (e.g., benign program)

      • Bad class (e.g., malware)

    • Adapt your classifier to changing adversary behavior

    • Questions?

      • How to model this game? Does this game ever end?

      • Is there an equilibrium point in the game?

    FEARLESS engineering


    Our solution game playing

    Our Solution: Game Playing

    • Adversarial Stackelberg Game

      • Adversary chooses an action

      • After observing the action, data miner chooses a counteraction

      • Game ends with payoffs to each player

    • Adversary may use malware obfuscation

    • Change has some cost to the adversary

    • We need data mining techniques to handle the changes by the adversary

    • Funded by the US Army; 2012-2015

      • PI: Kantarcioglu, Co-PI: Thuraisingham

    FEARLESS engineering


    Where do we go from here holistic treatment

    Where do we go from here:Holistic Treatment

    • Three actors interacting with each other:

    • The Doctor

      • The Defender/Analyst

  • The Patient

    • The User /Soldier

  • The Virus/Bacteria

    • The Malware/Attacker

  • Together with ECS, SOM, EPPS and BBS, we are proposing an Interdisciplinary approach.


  • Login