BareCloud: Bare-metal Analysis-based Evasive Malware Detection

Similar documents
CIT 480: Securing Computer Systems. Operating System Concepts

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Cody Miller, Dae Glendowne, Henry Cook, DeMarcus Thomas, Chris Lanclos, Patrick Pape Mississippi State University

Indicators of Compromise Ransomware TeslaCrypt Malware

Virtualization Overview NSRC

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

UCS C-Series Server: Bare metal, Storage Appliance, Host-OS Hardware and Software Interoperability Matrix

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

Prospex: Protocol Specification Extraction

Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage

Prevent and Detect Malware with Symantec Advanced Threat Protection: Network

You are Who You Know and How You Behave: Attribute Inference Attacks via Users Social Friends and Behaviors

Operating system hardening

Compute Summit January 28 29, 2014 San Jose. Engineering Workshop

Deception: Deceiving the Attackers Step by Step

Enhance your Cloud Security with AMD EPYC Hardware Memory Encryption

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

McAfee Endpoint Threat Defense and Response Family

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Automated Identification of Installed Malicious Android Applications

Production Installation and Configuration. Openfiler NSA

Threat Centric Vulnerability Management

Advanced Systems Security: New Threats

AMP for Endpoints & Threat Grid

Starting the KVM Console

Cisco Advanced Malware Protection (AMP) for Endpoints

Knut Omang Ifi/Oracle 20 Oct, Introduction to virtualization (Virtual machines) Aspects of network virtualization:

Operating Systems 4/27/2015

Qualys Indication of Compromise

UCS-E160DP Double-wide E-Series Server, 6 core CPU, with PCIe

The threat landscape is constantly

Symantec Ransomware Protection

CCNA Cybersecurity Operations. Program Overview

CLOUD STRIFE. Mitigating the Security Risks of Domain-Validated Certificates

ANATOMY OF A SPEAR PHISHING ATTACK. A Menlo Security Research Report

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Amazon EC2 Deep Dive. Michael #awssummit

What s new? Continuous development of Emu10, Emu28, Emu42, Emu48, Emu71 and Virtual HP-IL devices. Allschwil Meeting 2018 Christoph Gießelink 1

Monitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015

On Limitations of Designing LRPS: Attacks, Principles and Usability

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Cisco UCS Director Tech Module IBM Storage Arrays. June 2016

Positive Security Model for Web Applications, Challenges. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security

PUBCRAWL: Protecting Users and Businesses from CRAWLers

Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits

VMware vsphere Clusters in Security Zones

Cisco Tetration Analytics

Configuring Service Profiles

Deep Instinct v2.1 Extension for QRadar

Monitoring and Reporting for an ONTAP Account

vsan Security Zone Deployment First Published On: Last Updated On:

RUNNING VTSERVER IN A VIRTUAL MACHINE ENVIRONMENT

VMware vcenter AppSpeed User s Guide AppSpeed 1.0 EN

CS 356 Operating System Security. Fall 2013

Cisco VDS Service Broker Software Installation Guide for UCS Platforms

LOWELL WEEKLY JOURNAL

Introduction to Virtualization. From NDG In partnership with VMware IT Academy

McAfee Product Entitlement Definitions

Flash vs. Disk Storage: Testing Workloads is Key

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

vtserver Running vtserver on Hypervisors

Copyright 2015

Build Cloud like Rackspace with OpenStack Ansible

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

predefined elements (CI)

Stonesoft Next Generation Firewall

Configuring Global Service Profiles

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

Lecture 09: VMs and VCS head in the clouds

Project CIP Modifications

Creating a Windows Server 2012 R2 virtual instance Maher Saad, Chestnut Residence, University of Toronto

Trend Micro. Apex One as a Service / Apex One. Best Practice Guide for Malware Protection. 1 Best Practice Guide Apex One as a Service / Apex Central

A Survey on Virtualization Technologies

Gladiator Incident Alert

PAC094 Performance Tips for New Features in Workstation 5. Anne Holler Irfan Ahmad Aravind Pavuluri

Security Architecture

Kaseya 2. User Guide. Version 1.1

CCNA Cybersecurity Operations 1.1 Scope and Sequence

Parallels Workstation 4.0 Extreme Read Me

Free for All! Assessing User Data Exposure to Advertising Libraries on Android

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Figure 1: Creating new VM in VirtualBox. Please change the parameters and options, and make them exactly like the following figure.

BotCatch: Botnet Detection Based on Coordinated Group Activities of Compromised Hosts

Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy

Vulnerability Assessment using Nessus

EVILCOHORT: Detecting Communities of Malicious Accounts on Online Services

Govern every identity, Inspect every packet. Transform IT to the Department of YES

Implementing Cisco Network Security (IINS) 3.0

Real-time Monitoring, Inventory and Change Tracking for. Track. Report. RESOLVE!

Next Generation Endpoint Security Confused?

Xen Summit Spring 2007

ironic-staging-drivers Documentation

IT HealthCheck Feature List

Annexure E Technical Bid Format

Installing and Using Openfiler 2.3 with ESX Server

LA RELEVANCIA DEL ANALISIS POST- BRECHA

Transcription:

BareCloud: Bare-metal Analysis-based Evasive Malware Detection Dhilung Kirat, Giovanni Vigna, Christopher Kruegel UC Santa Barbara USENIX Security 2014 San Diego, CA

Dynamic Malware Analysis Execute s Reports

Dynamic Malware Analysis Execute s Reports

Dynamic Malware Analysis Virtualization/Emulation Execute s Reports

Evasive Malware Dynamic Malware Analysis Virtualization/Emulation Execute s Reports

Evasive Malware Dynamic Malware Analysis Virtualization/Emulation Execute

Detect Analysis Environment Disk HKLM\Hardware\DeviceMap\Scsi HKLM\System\CurrentControlSet\Services\Disk\Enum Bios HKLM\Hardware\Description\System\SystemBiosVersion Keyboard/Mouse Presence of mouse, keyboard layout User Username, Windows Product ID Active user

Detect Analysis Environment CPU SIDT instruction CPU Emulation bug (including MMX instruction set) Vulnerability CVE-2012-3221 VirtualBox Timing attack The virtualization and emulation systems add some level of overhead

Fully Undetectable (FUD)

Solutions? Dynamic Malware Analysis Execute s Reports

Transparent Analysis Dynamic Malware Analysis Execute s Reports

Transparent Analysis Execution Environment Monitoring Components

Dynamic Malware Analysis Transparency Visibility

Can we automatically identify evasive malware under reduced visibility?

BareCloud Dynamic Malware Analysis Bare-metal system Execute s Reports

BareCloud Dynamic Malware Analysis Bare-metal system Execute s Reports No in-guest monitoring component

BareCloud IPMI Dynamic Malware Analysis Bare-metal system Network Packets Network Activities iscsi LVM Snapshot SleuthKit File Activities

BareCloud IPMI Dynamic Malware Analysis Bare-metal system Network Packets Network Activities iscsi LVM Snapshot SleuthKit File Activities

BareCloud Baremetal

BareCloud Baremetal Ether

BareCloud Baremetal Ether Anubis

BareCloud Baremetal Ether Anubis VBox

BareCloud Baremetal Ether Anubis VBox

BareCloud Baremetal Ether Anubis VBox

Transient vs. Persistent All Ac>vi>es Normaliza>on Persistent Changes

Deviation Malware Analysis System Evasion Internal SoIware Environment Iden>cal setup Programed Randomiza>on Normalize behavior Hierarchical Similarity External Network Environment Simultaneous Execu>on Iden>cal External Network Consistent Reply

Comparison A B

Comparison A B JaccardSimilarity = A B A B

Comparison A B C Create file X Create file X Create file X Create file Y Create file Z Create file Y Modify file Z Create file Y Connect to C&C

Comparison A B C Create file X Create file X Create file X Create file Y Create file Z Create file Y Modify file Z Create file Y Connect to C&C

Comparison A B C Create file X Create file Y Create file Z Create file X Create file Y Modify file Z Create file X Create file Y Connect to C&C JaccardSimilarity(A, B) = 2/4 = JaccardSimilarity(A, C)

Comparison A B

Comparison A B What type of events? Filesystem? Network? Are events related to the same object? Same file? Same network endpoint? What type of opera>ons? Create? Delete? HTTP?

Similarity Hierarchy root Object Type Object Name Name AWribute

Similarity Hierarchy A Object Type root file Create file X Object Name C:\X C:\Y C:\Z Create file Y Create file Z Name AWribute

Similarity Hierarchy B Object Type root file Create file X Object Name C:\X C:\Y C:\Z Create file Y Modify file Z Name AWribute modify

Similarity Hierarchy C Object Type file root network Create file X Create file Y Connect to C&C Object Name Name AWribute C:\X C:\Y C&C Address hwp

Hierarchical Similarity A C root root Object Type file Object Type file network Object Name C:\X C:\Y C:\Z Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

Hierarchical Similarity A C Candidate Sets root root Object Type file Object Type file network Object Name C:\X C:\Y C:\Z Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

Hierarchical Similarity A C Candidate Sets root root Object Type file Object Type file network Object Name C:\X C:\Y C:\Z Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

Hierarchical Similarity A C Candidate Sets root root Object Type file Sim 1 = 1/2 Object Type file network Object Name C:\X C:\Y C:\Z Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

Hierarchical Similarity A C Candidate Sets root root Object Type file Sim 1 = 1/2 Object Type file network Object Name C:\X C:\Y C:\Z Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

Hierarchical Similarity A C root root Object Type file Sim 1 = 1/2 Object Type file network Object Name C:\X C:\Y C:\Z Sim 2 = 2/3 Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

Hierarchical Similarity A C root root Object Type file Sim 1 = 1/2 Object Type file network Object Name C:\X C:\Y C:\Z Sim 2 = 2/3 Object Name C:\X C:\Y C&C Address Name Sim 3 = 1 Name hwp AWribute Sim 4 = 1 AWribute

Hierarchical Similarity A C root root Object Type file Sim 1 = 1/2 Object Type file network Object Name C:\X C:\Y C:\Z Sim 2 = 2/3 Object Name C:\X C:\Y C&C Address Name Sim 3 = 1 Name hwp AWribute Sim 4 = 1 AWribute Sim(A, C) = AVG(Sim 1 Sim 4 ) = 0.79

Hierarchical Similarity A B root root Object Type file Sim 1 = 1 Object Type file Object Name C:\X C:\Y C:\Z Sim 2 = 1 Object Name C:\X C:\Y C:\Z Name Sim 3 = 1/2 Name modify AWribute Sim 4 = 1 AWribute Sim(A, B) = AVG(Sim 1 Sim 4 ) = 0.87

Comparison A Create file X Create file Y Create file Z B Create file X Create file Y Modify file Z C Create file X Create file Y Connect to C&C JaccardSimilarity(A, B) == JaccardSimilarity(A, C) HierarchicalSim(A, B) > HierarchicalSim(A, C) 0.87 > 0.79

Deviation Score Distance Distance(A, B) = 1 - Sim(A, B) Baremetal Ether Deviation Score D Quadratic mean of the behavior distances with respect to the baremetal analysis Deviation Threshold t Evasive if D > t Anubis VBox

Evaluation Ground truth 111 evasive samples (29 families) 119 non-evasive samples (49 families) Calculated behavior Deviation score D Calculate Jaccard distance-based deviation JD Maximum Jaccard-distance among different behavior profiles of a malware Precision-recall analysis by varying the deviation threshold t

Evaluation Precision 0.4 0.5 0.6 0.7 0.8 0.9 1.0 Hierarchical similarity Jaccard similarity 0.0 0.2 0.4 0.6 0.8 1.0 Recall

Evaluation Precision 0.0 0.2 0.4 0.6 0.8 1.0 Precision Recall t=0.84 0.00 0.20 0.40 0.60 0.80 1.00 Threshold (t)

Large-scale Evaluation Recent real-world malware feed observed by Anubis Randomly select samples with low system and low network activity high system and high network activity high system but low network activity Low system but high network activity 110,005 samples 4 months period beginning from July 2013

Large-scale Evaluation Environment Detection Count Percentage Anubis 4947 84.78 Ether 4562 78.18 VirtualBox 3576 61.28 All 2530 43.35 5,835 evasive malware out of 110,005 recent samples

Limitations Hardware vs software iscsi initiator Stalling code Wait for user input Advanced waiting Decoy reconnaissance Real hardware ID not randomized

Conclusions Evasive Malware is a real threat to the new wave of dynamic analysis based malware detection systems We presented a system that can detect these evasive malware automatically

Thank You!

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback