1 / 23

CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY

CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY. From: First IEEE International Conference on Communications in China: Communications Theory and Security (CTS) Author: Wei Yan Speaker: 張鈞閔 Date:2013/10/24. Outline. Introduction

torn
Download Presentation

CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China: Communications Theory and Security (CTS) Author: Wei Yan Speaker:張鈞閔 Date:2013/10/24

  2. Outline • Introduction • Cloud-based Security Service • CAS: Threat Intelligence As A Service • Simulation • Conclusion

  3. Outline • Introduction • Cloud-based Security Service • CAS: Threat Intelligence As A Service • Simulation • Conclusion

  4. Advanced Persistent Threat • The past few years have witnessed a significant increase in the number of malware threats. • Today’s Anti-virus (AV) industry devotes much effort to combating Advanced Persistent Threat (APT), also as known as the advanced malware. • “advanced” here means the use of some new technologies for generating new sophisticated malware to bypass security vendors’ malware scanners.

  5. Challenges In Overcoming Advanced Malware’s Complexity • Need to keep on inserting new virus signatures into the database • increasing the size of the signature database • consume much of the PC memories and resources • Behavior-based detection approaches have been used to detect malware in sandbox, but these approaches have slow scan speeds.

  6. Move Into The Cloud • To effectively handle the scale and magnitude of new malware variants, anti-virus functionality is being movedfrom the user desktop into the cloud. • For a suspicious file, the AV desktop agent fetches the fingerprint or calculates the hash value of the file, and sends it to the remote cloud server. • In this paper, millions of samples have been tested to evaluate CAS’s performance on detection advance malware.

  7. Outline • Introduction • Cloud-based Security Service • CAS: Threat Intelligence As A Service • Simulation • Conclusion

  8. Cloud-based Anti-virus Service (1/3)

  9. Cloud-based Anti-virus Service (2/3) • The cloud agent is a lightweight hybrid desktop solution to resolve the AV resource intensive problem. • The agent collects hash values or fingerprints of suspicious files from users. • If the hash values or fingerprints are already stored in the cache, the agent just returns the cached results to inform the users whether the requested files are malicious or not. • Otherwise, it will search in the local light-weight signature database, or directly send the values or fingerprints into the cloud.

  10. Cloud-based Anti-virus Service (3/3) • In order to keep a good workload balance between the desktop and cloud server, the agent requires a lightweight signature database with the size much smaller than that of the traditional one. • Virus hackers use binary tools to instigate code obfuscation. An emulatorincludes programs to execute or emulate suspicious encrypted executables until they are fully decrypted in memory.

  11. Outline • Introduction • Cloud-based Security Service • CAS: Threat Intelligence As A Service • Simulation • Conclusion

  12. Framework(1/2)

  13. Framework(2/2) • The malware type identification is used to recognize the malware file types. • Based on a certain file type, advanced malicious sample is forwarded to the corresponding file parser. • Afterwards, the stream-based and generic signatures are generated from malware families. • These signatures will be applied on high-speed network devices, such as UTM and next generation firewall, to offer cloud-based on-the-fly malware detection.

  14. Malware Types Supported • In CAS, to support heterogeneous malware types, the intelligent parser in CAS is able to recognize the input malware file type. • Current CAS supports PE(Portable Executable format), packers, non-PE.

  15. PE • PE file starts with the DOS executable header, followed by the PE header. Then the optional header is followed by the section table headers. • Finally, at the end of the PE file is the section data, which contains the file’s original entry point (OEP). • where file execution begins • To search a PE file for malware, a scanner typically scans the segments for the known signatures at certain offsets from OEP.

  16. packer • Packing is an efficient way to obfuscate a file’s original contents, and as of publication time, packers are malware authors’ favored binary tools for obscuring their codes. • It mutate headers into new structures and attaches a code segment that the malware will invoke before the OEP. • This code is called the stub, and it decompresses the original data and locates the OEP.

  17. Non-PE • Non-PE malware, also known as embedded malware, allows malicious codes to be hidden inside a benign file, such as JPG, GIF and PDF files. • CAS uses non-PE parsers to find the hidden malicious payloads and apply signatures to detect the malware. • In Fig. 4, CAS parser goes through JPG format and highlights the malicious payloads with red.

  18. Outline • Introduction • Cloud-based Security Service • CAS: Threat Intelligence As A Service • Simulation • Conclusion

  19. On-the-fly detection performance • CAS correlation signature database can work with such network devices to capture latest malware. • The hardware-based simulation shows that CAS online scanner can achieve more than 15Gbps performance, as shown in Table 2, much higher than other research works.

  20. detect zero-day threats(1/2) • In our testing, CAS uses 1352 correlation signatures to cover 380 packer and unpacked malware families (total 7 million malicious samples). • Fig. 5 shows the detection rate without updating signatures for packer malware families. • It is clear that the detection rate still keep high even we didn’t update signatures for a month.

  21. detect zero-day threats(2/2)

  22. Outline • Introduction • Cloud-based Security Service • CAS: Threat Intelligence As A Service • Simulation • Conclusion

  23. Conclusion • This paper introduces CAS to identify features across malware families that are written in similar ways. • Our approach is generic, and the test results have validated the ability and performances. • The work are still in the early stages, and several major issues in protecting AV cloud service remain to be addressed.

More Related