SlideShare une entreprise Scribd logo

Antimalware

Mayank Chaudhari
Mayank Chaudhari

This session discuss malware detection techniques and obfuscation techniques used by malware writers with special focus on signature based detection.

Ingénierie
1  sur  30
Télécharger pour lire hors ligne
BY MAYANK CHAUDHRI 2016H103014G
 INTRODUCTION  MOTIVATION  DETECTION TECHNIQUES  Signature Based  Anomaly Based  Specification Based  MALWARE OBFUSCATION
 Malware  Malware, short for "malicious software," refers to a type of computer program designed to infect a legitimate user's computer and inflict harm on it in multiple ways  Antimalware  Antimalware software protects against infections caused by many types of malware, including viruses, worms, Trojan horses, rootkits, spyware, key loggers, ransomware and adware.  Obfuscation  The obfuscation is a technique that makes programs harder to understand
 Why do we need to study malwares ?  So are only the computers that can be affected ?  Wait  Does it look fake ?  Virus 666  US patent 6506148 B2  Why do we need antimalware's?
 Techniques used for detecting malware can be categorized broadly in to two categories:  anomaly-based detection  and signature-based detection  An anomaly-based detection technique uses its knowledge of what constitutes normal behavior to decide the maliciousness of a program under inspection  Specification-based techniques leverage some specification or rule set of what is valid behavior in order to decide the maliciousness of a program under inspection  Signature-based detection uses its characterization of what is known to be malicious to decide the maliciousness of a program under inspection
 Static  Static analysis uses syntax or structural properties  A static approach attempts to detect malware before the program under inspection executes  Example strings utility (naïve way)  Dynamic  dynamic approach will leverage runtime information  a dynamic approach attempts to detect malicious behavior during program execution or after program execution  Example Sysinternals suit (naïve way)  Hybrid  In this case, static and dynamic information is used to detect malware
 What is a signature?  The signatures are typically hashes or byte-streams that are used to determine whether a file or buffer contains a malicious payload  Hashes are generated using algorithms like CRC or MD5 which are typically fast and can be calculated many times per second  This is most typical and preferred method employed by antimalware/antivirus  There is a tradeoff between being fast and being accurate
 Byte-Streams  Simplest form of signatures  Signature is a byte-stream that is specific to a malware file and that does not normally appear on non-malicious files  Example:- to detect the European Institute for Computer Anti-Virus Research (EICAR) antivirus testing file, an antivirus engine may simply search for this entire string:  X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*  Easiest and fast approach for detection  Many robust and efficient algorithms are present for string matching  Example : Aho-Corasick, Knuth-Morris-Pratt, Boyer-Moore, etc.  This approach is error prone
 Checksums  The most typical signature-matching algorithm is used by almost all existing AV engines and is based on calculating CRCs.  An antivirus engine may detect this testing file by calculating the CRC32 checksum of the entire buffer against chunks of data or by analyzing the specific parts of a file format that can be divided  Fast but a lot of false positives due to collisions  Use of modified CRC for detection. But still it gives false positioves  Example :  “petfood” and “eisenhower” have the same CRC32 hash 0xD0132158  Use of custom checksums
 Cryptographic hashes  Follows the 3 main properties of cryptographic hash functions  Generates a “signature” that univocally identifies one buffer and just one buffer  Reduces false positives  More expensive than calculating a CRC32 hash  A single bit change may need to compute a new signature  They are used for recently discovered malwares that are considered critical. Meanwhile stronger signature are being developed
 The aim is to identify a whole family of malwares and reduce false positives  Fuzzy Hashing  Minimal or no diffusion at all  No confusion at all  A good collision rate (depends on application)  Some available hashes  Ssdeep, DeepToad, SpamSum etc.  False positives are possible but less compared to earlier discussed techniques  The are not used independently but used with some sophisticated techniques like bloom filters
 Bypassing such filters is not easy  Attacker needs to change many parts because changing just one bit will not work  The number of changes required to bypass the fuzzy signature depends on the block size and how the block size is chosen  If block size depends on the size of given buffer and is not fixed then it is easier to bypass  Fixed block size based fuzzy signatures are difficult to bypass
 Graph-Based Hashes for Executables  Software program can be divided into two different kinds of graphs  Call graph – Directed graph showing the relationship between all the functions in the program  Flow graph- Directed graph showing the relationship between basic blocks  Antimalware's with code analysis engines may use signatures in the form of graphs using information extracted from call graphs or the flow graphs  This approach is expensive but effective  For better performance limit to some instructions, basic blocks, time-outs  These techniques are powerful for the detection of the polymorphic viruses, while the instructions will be different between different evolutions but the call graphs usually remain stable.
 False positive cases are still possible  Evasion techniques  Change the layout of the call graph  Implement anti-disassembly tricks  Mix anti-disassembly techniques with opaque predicates  Use time-out tricks (make the flow graph as complex as possible)  Example of control flow graph tool  http://github.com/joxeankoret/pyew
 Dynamic signature-based detection is characterized by using solely information gathered during the execution to decide its maliciousness  looks for patterns of behavior that would reveal the true malicious intent of a program.  Signature-based method for worm detection that is based on known malicious behaviors  A state transition based technique for detection
 Uses static and dynamic properties to determine the maliciousness  First executes the program and then apply static signature detection  Example  Worm vs. Worm  Malicious Code Filter
 Anomaly based detection usually occurs in two phases:  Training (learning) phase and  Detection (monitoring) phase  During the training phase the detector attempts to learn the normal behavior .  The detector could be learning the behavior of system, program or both  The key advantage of anomaly based detection is to detect zero-day attacks  Two fundamental problems associated with this approach are  High false alarm rate  Complexity of choosing the features to be learned in training phase
 In dynamic anomaly-based detection, information gathered from the program’s execution is used to detect malicious code  The detection phase monitors the program under inspection during its execution, checking for inconsistencies with what was learned during the training phase  Examples  IDS, using computer forensic methods for Privacy-Invasive Software, monitoring system call sequences, process call sequences  Setting a threshold is a challenging problem to reduce false positive cases
 In static anomaly-based detection, characteristics about the file structure of the program under inspection are used to detect malicious code  A key advantage of static anomaly based detection is that its use may make it possible to detect malware without having to allow the malware carrying program execute on the host system  Data-mining and machine learning approaches are used to detect the malwares  Hybrid anomaly based detection
 Specification-based detection is a type of anomaly-based detection that tries to address the typical high false alarm rate associated with most anomaly-based detection techniques  Specification-based detection attempts to approximate the requirements for an application or system  Training phase is the attainment of some rule set  The main limitation of specification-based detection is that it is often difficult to specify completely and accurately the entire set of valid behaviors a system should exhibit
 Approaches classified as dynamic specification-based use behavior observed at runtime to determine the maliciousness of an executable  Example  Monitoring Security-Critical Programs (using monitored system call events)  Using Dynamic Information Flow to Protect Applications  Process Behavior Monitoring  Using Instruction Block Signatures
 Structural properties of programs are use for detection  Example  Static Detection of Malicious Code in Executables (API- graph)  Compiler Approach to Malcode Detection (certifying compiler)  Detecting Malcode in Firmware  Hybrid specification based detection  Example
 Types of malware obfuscation techniques  Encryption  Exclusive OR  Dead code insertion  Register Reassignment  Subroutine Reordering  Instruction substitution  Code transposition  Code integration  Base64 encoding  Code packing  ROT13
 Encryption  The first approach to evade the signature based antivirus scanners is to use encryption  Exclusive OR  Perform XOR operation with some byte  Base64 Encoding  Base64 is commonly used in malware to disguise text strings  ROT13  Rotate13 a simple letter substitution to jumble text
 Code Packing  A packer is piece of software that takes the original malware file and compresses it  Dead-Code Insertion  Dead-code insertion is a simple technique that adds some ineffective instructions to a program to change its appearance, but keep its behavior  Register Reassignment  Switches registers generation to generation while keeping program behavior same  Subroutine Reordering  Obfuscate an original code by changing the order of its subroutines in a random way.  Example Win32/Ghost
 Instruction Substitution  Evolves an original code by replacing some instruction with other equivalent ones  Code Transposition  Code transposition reorders the sequence of the instructions of an original code without having any impact on its behavior.  Code Integration  Introduced by the Win32/Zmist malware  Malware knits itself to the code of its target program  Decompile the target program into manageable objects , add itself between them and reassembles the integrated code into a new generation.
 Antivirus hackers handbook, Joxean Koret Elias Bachaalany, Willy Publication.  Practical Malware Analysis, Andrew Honig, No Starch Press.  Nwokedi Idika, Aditya P. Mathur, A Survey of Malware Detection Techniques,  Ilsun You , Kangbin Yim, Malware Obfuscation Techniques: A Brief Survey , 2010 International Conference on Broadband, Wireless Computing, Communication and Applications.  defcon-17-sean_taylor-binary_obfuscation.pdf, Defcon 02017.
Antimalware

Recommandé

A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
 
Auto sign an automatic signature generator for high-speed malware filtering d...
Auto sign an automatic signature generator for high-speed malware filtering d...Auto sign an automatic signature generator for high-speed malware filtering d...
Auto sign an automatic signature generator for high-speed malware filtering d...UltraUploader
 
Ids 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systemsIds 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systemsjyoti_lakhani
 
IRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET - Heuristic Approach to Intrusion Detection System
IRJET - Heuristic Approach to Intrusion Detection SystemIRJET Journal
 
Automated malware invariant generation
Automated malware invariant generationAutomated malware invariant generation
Automated malware invariant generationUltraUploader
 
Metamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and DetectionMetamorphic Malware Analysis and Detection
Metamorphic Malware Analysis and DetectionGrijesh Chauhan
 
A malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learningA malware detection method for health sensor data based on machine learning
A malware detection method for health sensor data based on machine learningjaigera
 
Ids 013 detection approaches
Ids 013 detection approachesIds 013 detection approaches
Ids 013 detection approachesjyoti_lakhani
 

Contenu connexe

Tendances

TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsPietro De Nicolao
 
Agisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signaturesAgisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signaturesUltraUploader
 
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Wojciech Podgórski
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection amiable_indian
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architectureUltraUploader
 
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...ijcsit
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionProgrammer
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detectionUltraUploader
 
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Jowin John Chemban
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detectionbutest
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognitionahmadali999
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemIJRES Journal
 
Intrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIntrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIJCSEA Journal
 
Detecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages Detecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages Gowtham Chandra
 
Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...UltraUploader
 

Tendances (20)

Practical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesPractical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approaches
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
 
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
[IJET-V1I6P6] Authors: Ms. Neeta D. Birajdar, Mr. Madhav N. Dhuppe, Ms. Trupt...
 
Agisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signaturesAgisa towards automatic generation of infection signatures
Agisa towards automatic generation of infection signatures
 
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architecture
 
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detection
 
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
 
4
44
4
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detection
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognition
 
5
55
5
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detection
 
Intrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIntrusion detection system based on web usage mining
Intrusion detection system based on web usage mining
 
Detecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages Detecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages
 
Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...
 

Similaire à Antimalware

Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Akash Karwande
 
What Are The Types of Malware? Must Read
What Are The Types of Malware? Must ReadWhat Are The Types of Malware? Must Read
What Are The Types of Malware? Must ReadBytecode Security
 
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
 
Antivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methodsAntivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methodsSomanath Kavalase
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Editor IJARCET
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Editor IJARCET
 
Malware Protection Week5Part4-IS Revision Fall2013 .docx
Malware Protection Week5Part4-IS Revision Fall2013 .docxMalware Protection Week5Part4-IS Revision Fall2013 .docx
Malware Protection Week5Part4-IS Revision Fall2013 .docxinfantsuk
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Research Publish Journals (Publisher)
 
Presentation.pptx..................................
Presentation.pptx..................................Presentation.pptx..................................
Presentation.pptx..................................Shivakrishnan18
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET Journal
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxRineri1
 
Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)IOSR Journals
 
Autonomic Anomaly Detection System in Computer Networks
Autonomic Anomaly Detection System in Computer NetworksAutonomic Anomaly Detection System in Computer Networks
Autonomic Anomaly Detection System in Computer Networksijsrd.com
 
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...Shakas Technologies
 
The Pros and Cons of Different Security Detection Technologies.pdf
The Pros and Cons of Different Security Detection Technologies.pdfThe Pros and Cons of Different Security Detection Technologies.pdf
The Pros and Cons of Different Security Detection Technologies.pdfSecurityDetectionSol
 
A fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flowsA fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flowsUltraUploader
 
Malwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionMalwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionIOSR Journals
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
Survey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detectionSurvey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detectioncsandit
 

Similaire à Antimalware (20)

Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques Malware Detection Using Data Mining Techniques
Malware Detection Using Data Mining Techniques
 
What Are The Types of Malware? Must Read
What Are The Types of Malware? Must ReadWhat Are The Types of Malware? Must Read
What Are The Types of Malware? Must Read
 
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSA FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
 
Antivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methodsAntivirus - Virus detection and removal methods
Antivirus - Virus detection and removal methods
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039
 
Malware Protection Week5Part4-IS Revision Fall2013 .docx
Malware Protection Week5Part4-IS Revision Fall2013 .docxMalware Protection Week5Part4-IS Revision Fall2013 .docx
Malware Protection Week5Part4-IS Revision Fall2013 .docx
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....
 
Presentation (1).pptx
Presentation (1).pptxPresentation (1).pptx
Presentation (1).pptx
 
Presentation.pptx..................................
Presentation.pptx..................................Presentation.pptx..................................
Presentation.pptx..................................
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptx
 
Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)
 
Autonomic Anomaly Detection System in Computer Networks
Autonomic Anomaly Detection System in Computer NetworksAutonomic Anomaly Detection System in Computer Networks
Autonomic Anomaly Detection System in Computer Networks
 
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
Automated Android Malware Detection Using Optimal Ensemble Learning Approach ...
 
The Pros and Cons of Different Security Detection Technologies.pdf
The Pros and Cons of Different Security Detection Technologies.pdfThe Pros and Cons of Different Security Detection Technologies.pdf
The Pros and Cons of Different Security Detection Technologies.pdf
 
A fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flowsA fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flows
 
Malwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant ExtractionMalwise-Malware Classification and Variant Extraction
Malwise-Malware Classification and Variant Extraction
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Survey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detectionSurvey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detection
 

Dernier

The Satellite applications in telecommunication
The Satellite applications in telecommunicationThe Satellite applications in telecommunication
The Satellite applications in telecommunicationnovrain7111
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptxmohitesoham12
 
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...gerogepatton
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...Erbil Polytechnic University
 
Structural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot MuiliStructural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot MuiliNimot Muili
 
Detection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackingDetection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackinghadarpinhas1
 
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...IJAEMSJORNAL
 
A brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProA brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProRay Yuan Liu
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewsandhya757531
 
multiple access in wireless communication
multiple access in wireless communicationmultiple access in wireless communication
multiple access in wireless communicationpanditadesh123
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxLina Kadam
 
STATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectSTATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectGayathriM270621
 
tourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdftourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdfchess188chess188
 
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...shreenathji26
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Romil Mishra
 
70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical trainingGladiatorsKasper
 
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxTriangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxRomil Mishra
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Coursebim.edu.pl
 

Dernier (20)

The Satellite applications in telecommunication
The Satellite applications in telecommunicationThe Satellite applications in telecommunication
The Satellite applications in telecommunication
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptx
 
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...
 
Structural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot MuiliStructural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
 
Detection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackingDetection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and tracking
 
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
 
A brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProA brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision Pro
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overview
 
multiple access in wireless communication
multiple access in wireless communicationmultiple access in wireless communication
multiple access in wireless communication
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based question
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptx
 
STATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subjectSTATE TRANSITION DIAGRAM in psoc subject
STATE TRANSITION DIAGRAM in psoc subject
 
tourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdftourism-management-srs_compress-software-engineering.pdf
tourism-management-srs_compress-software-engineering.pdf
 
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptxDesigning pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptx
 
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
 
70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training
 
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptxTriangulation survey (Basic Mine Surveying)_MI10412MI.pptx
Triangulation survey (Basic Mine Surveying)_MI10412MI.pptx
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Course
 

Antimalware

  • 2.  INTRODUCTION  MOTIVATION  DETECTION TECHNIQUES  Signature Based  Anomaly Based  Specification Based  MALWARE OBFUSCATION
  • 3.  Malware  Malware, short for "malicious software," refers to a type of computer program designed to infect a legitimate user's computer and inflict harm on it in multiple ways  Antimalware  Antimalware software protects against infections caused by many types of malware, including viruses, worms, Trojan horses, rootkits, spyware, key loggers, ransomware and adware.  Obfuscation  The obfuscation is a technique that makes programs harder to understand
  • 4.  Why do we need to study malwares ?  So are only the computers that can be affected ?  Wait  Does it look fake ?  Virus 666  US patent 6506148 B2  Why do we need antimalware's?
  • 5.
  • 6.  Techniques used for detecting malware can be categorized broadly in to two categories:  anomaly-based detection  and signature-based detection  An anomaly-based detection technique uses its knowledge of what constitutes normal behavior to decide the maliciousness of a program under inspection  Specification-based techniques leverage some specification or rule set of what is valid behavior in order to decide the maliciousness of a program under inspection  Signature-based detection uses its characterization of what is known to be malicious to decide the maliciousness of a program under inspection
  • 7.  Static  Static analysis uses syntax or structural properties  A static approach attempts to detect malware before the program under inspection executes  Example strings utility (naïve way)  Dynamic  dynamic approach will leverage runtime information  a dynamic approach attempts to detect malicious behavior during program execution or after program execution  Example Sysinternals suit (naïve way)  Hybrid  In this case, static and dynamic information is used to detect malware
  • 8.  What is a signature?  The signatures are typically hashes or byte-streams that are used to determine whether a file or buffer contains a malicious payload  Hashes are generated using algorithms like CRC or MD5 which are typically fast and can be calculated many times per second  This is most typical and preferred method employed by antimalware/antivirus  There is a tradeoff between being fast and being accurate
  • 9.  Byte-Streams  Simplest form of signatures  Signature is a byte-stream that is specific to a malware file and that does not normally appear on non-malicious files  Example:- to detect the European Institute for Computer Anti-Virus Research (EICAR) antivirus testing file, an antivirus engine may simply search for this entire string:  X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*  Easiest and fast approach for detection  Many robust and efficient algorithms are present for string matching  Example : Aho-Corasick, Knuth-Morris-Pratt, Boyer-Moore, etc.  This approach is error prone
  • 10.
  • 11.  Checksums  The most typical signature-matching algorithm is used by almost all existing AV engines and is based on calculating CRCs.  An antivirus engine may detect this testing file by calculating the CRC32 checksum of the entire buffer against chunks of data or by analyzing the specific parts of a file format that can be divided  Fast but a lot of false positives due to collisions  Use of modified CRC for detection. But still it gives false positioves  Example :  “petfood” and “eisenhower” have the same CRC32 hash 0xD0132158  Use of custom checksums
  • 12.  Cryptographic hashes  Follows the 3 main properties of cryptographic hash functions  Generates a “signature” that univocally identifies one buffer and just one buffer  Reduces false positives  More expensive than calculating a CRC32 hash  A single bit change may need to compute a new signature  They are used for recently discovered malwares that are considered critical. Meanwhile stronger signature are being developed
  • 13.  The aim is to identify a whole family of malwares and reduce false positives  Fuzzy Hashing  Minimal or no diffusion at all  No confusion at all  A good collision rate (depends on application)  Some available hashes  Ssdeep, DeepToad, SpamSum etc.  False positives are possible but less compared to earlier discussed techniques  The are not used independently but used with some sophisticated techniques like bloom filters
  • 14.  Bypassing such filters is not easy  Attacker needs to change many parts because changing just one bit will not work  The number of changes required to bypass the fuzzy signature depends on the block size and how the block size is chosen  If block size depends on the size of given buffer and is not fixed then it is easier to bypass  Fixed block size based fuzzy signatures are difficult to bypass
  • 15.  Graph-Based Hashes for Executables  Software program can be divided into two different kinds of graphs  Call graph – Directed graph showing the relationship between all the functions in the program  Flow graph- Directed graph showing the relationship between basic blocks  Antimalware's with code analysis engines may use signatures in the form of graphs using information extracted from call graphs or the flow graphs  This approach is expensive but effective  For better performance limit to some instructions, basic blocks, time-outs  These techniques are powerful for the detection of the polymorphic viruses, while the instructions will be different between different evolutions but the call graphs usually remain stable.
  • 16.  False positive cases are still possible  Evasion techniques  Change the layout of the call graph  Implement anti-disassembly tricks  Mix anti-disassembly techniques with opaque predicates  Use time-out tricks (make the flow graph as complex as possible)  Example of control flow graph tool  http://github.com/joxeankoret/pyew
  • 17.  Dynamic signature-based detection is characterized by using solely information gathered during the execution to decide its maliciousness  looks for patterns of behavior that would reveal the true malicious intent of a program.  Signature-based method for worm detection that is based on known malicious behaviors  A state transition based technique for detection
  • 18.  Uses static and dynamic properties to determine the maliciousness  First executes the program and then apply static signature detection  Example  Worm vs. Worm  Malicious Code Filter
  • 19.  Anomaly based detection usually occurs in two phases:  Training (learning) phase and  Detection (monitoring) phase  During the training phase the detector attempts to learn the normal behavior .  The detector could be learning the behavior of system, program or both  The key advantage of anomaly based detection is to detect zero-day attacks  Two fundamental problems associated with this approach are  High false alarm rate  Complexity of choosing the features to be learned in training phase
  • 20.  In dynamic anomaly-based detection, information gathered from the program’s execution is used to detect malicious code  The detection phase monitors the program under inspection during its execution, checking for inconsistencies with what was learned during the training phase  Examples  IDS, using computer forensic methods for Privacy-Invasive Software, monitoring system call sequences, process call sequences  Setting a threshold is a challenging problem to reduce false positive cases
  • 21.  In static anomaly-based detection, characteristics about the file structure of the program under inspection are used to detect malicious code  A key advantage of static anomaly based detection is that its use may make it possible to detect malware without having to allow the malware carrying program execute on the host system  Data-mining and machine learning approaches are used to detect the malwares  Hybrid anomaly based detection
  • 22.  Specification-based detection is a type of anomaly-based detection that tries to address the typical high false alarm rate associated with most anomaly-based detection techniques  Specification-based detection attempts to approximate the requirements for an application or system  Training phase is the attainment of some rule set  The main limitation of specification-based detection is that it is often difficult to specify completely and accurately the entire set of valid behaviors a system should exhibit
  • 23.  Approaches classified as dynamic specification-based use behavior observed at runtime to determine the maliciousness of an executable  Example  Monitoring Security-Critical Programs (using monitored system call events)  Using Dynamic Information Flow to Protect Applications  Process Behavior Monitoring  Using Instruction Block Signatures
  • 24.  Structural properties of programs are use for detection  Example  Static Detection of Malicious Code in Executables (API- graph)  Compiler Approach to Malcode Detection (certifying compiler)  Detecting Malcode in Firmware  Hybrid specification based detection  Example
  • 25.  Types of malware obfuscation techniques  Encryption  Exclusive OR  Dead code insertion  Register Reassignment  Subroutine Reordering  Instruction substitution  Code transposition  Code integration  Base64 encoding  Code packing  ROT13
  • 26.  Encryption  The first approach to evade the signature based antivirus scanners is to use encryption  Exclusive OR  Perform XOR operation with some byte  Base64 Encoding  Base64 is commonly used in malware to disguise text strings  ROT13  Rotate13 a simple letter substitution to jumble text
  • 27.  Code Packing  A packer is piece of software that takes the original malware file and compresses it  Dead-Code Insertion  Dead-code insertion is a simple technique that adds some ineffective instructions to a program to change its appearance, but keep its behavior  Register Reassignment  Switches registers generation to generation while keeping program behavior same  Subroutine Reordering  Obfuscate an original code by changing the order of its subroutines in a random way.  Example Win32/Ghost
  • 28.  Instruction Substitution  Evolves an original code by replacing some instruction with other equivalent ones  Code Transposition  Code transposition reorders the sequence of the instructions of an original code without having any impact on its behavior.  Code Integration  Introduced by the Win32/Zmist malware  Malware knits itself to the code of its target program  Decompile the target program into manageable objects , add itself between them and reassembles the integrated code into a new generation.
  • 29.  Antivirus hackers handbook, Joxean Koret Elias Bachaalany, Willy Publication.  Practical Malware Analysis, Andrew Honig, No Starch Press.  Nwokedi Idika, Aditya P. Mathur, A Survey of Malware Detection Techniques,  Ilsun You , Kangbin Yim, Malware Obfuscation Techniques: A Brief Survey , 2010 International Conference on Broadband, Wireless Computing, Communication and Applications.  defcon-17-sean_taylor-binary_obfuscation.pdf, Defcon 02017.