15th USENIX Security Symposium; Pp. 273–288 of the Proceedings
Engin Kirda and Christopher Kruegel; Secure Systems Lab Technical University Vienna
Greg Banks, Giovanni Vigna, and Richard A. Kemmerer; Department of Computer Science University of California, Santa Barbara
Spyware is rapidly becoming a major security issue. Spyware programs are surreptitiously installed on a user’s workstation to monitor his/her actions and gather private information about a user’s behavior. Current anti-spyware tools operate in a way similar to traditional anti-virus tools, where signatures associated with known spyware programs are checked against newly-installed applications. Unfortunately, these techniques are very easy to evade by using simple obfuscation transformations.
This paper presents a novel technique for spyware detection that is based on the characterization of spyware-like behavior. The technique is tailored to a popular class of spyware applications that use Internet Explorer’s Browser Helper Object (BHO) and toolbar interfaces to monitor a user’s browsing behavior. Our technique uses a composition of static and dynamic analysis to determine whether the behavior of BHOs and toolbars in response to simulated browser events should be considered malicious. The evaluation of our technique on a representative set of spyware samples shows that it is possible to reliably identify malicious components using an abstract behavioral characterization.
Weidong Cui, Electrical Engineering and Computer Sciences University of California at Berkeley, Technical Report No. UCB/EECS-2006-115
An increasing variety of malware like worms, spyware and adware threatens both personal and business computing. Modern malware has two features: (1) malware evolves rapidly; (2) selfpropagating malware can spread very fast. These features lead to a strong need for automatic actions against new unknown malware. In this thesis, we aim to develop new techniques and systems to automate the detection of new unknown malware because detection is the first step for any reaction. Since there is no single panacea that could be used to detect all malware in every environment, we focus on one important environment, personal computers, and one important type of malware, computer worms. To tackle the problem of automatic malware detection, we face two fundamental challenges: false alarms and scalability. We take two new approaches to solve these challenges. To minimize false alarms, our approach is to infer the intent of user or adversary (the malware author) because most benign software running on personal computers is user driven, and authors behind different kinds of malware have distinct intent. To achieve early detection of fast spreading Internet worms, we must monitor the Internet from a large number of vantage points, which leads to the scalability problem — how to filter repeated probes. Our approach is to leverage protocol-independent replay of application dialog, a new technology which, given examples of an application session, can mimic both the initiator and responder sides of the session for a wide variety of application protocols without requiring any specifics about the particular application it mimics. We use replay to filter frequent multi-stage attacks by replaying the server side responses. To evaluate the effectiveness of our new approaches, we develop the following systems:(1) BINDER, a host-based detection system that can detect a wide class of malware on personal computers by identifying extrusions, malicious outbound network requests which the user did not intend; (2) GQ, a large-scale, high-fidelity honeyfarm system that can capture Internet worms by analyzing in real-time the scanning probes seen on a quarter million Internet addresses, with emphases on isolation, stringent control, and wide coverage.
Professor Randy H. Katz
Dissertation Committee Chair
Salvatore J. Stolfo, Ke Wang, Wei-Jen Li, Columbia University
Malcode can be easily hidden in document files and embedded in application executables. We demonstrate this opportunity of stealthy malcode insertion in several experiments using a standard COTS Anti-Virus (AV) scanner. In the case of zero-day malicious exploit code, signature-based AV scanners would fail to detect such malcode even if the scanner knew where to look. We propose the use of statistical binary content analysis of files in order to detect suspicious anomalous file segments that may suggest infection by malcode. Experiments are performed to determine whether the approach of n-gram analysis may provide useful evidence of an infected file that would subsequently be subjected to further scrutiny. Our goal is to develop an efficient means of detecting suspect infected files for application to online network communication or scanning a large store of collected information, such as a data warehouse of shared documents.
Эта запись доступна только зарегистрированным пользователям с достаточным уровнем доступа.
To view the contents of this post, you must be authenticated and have the required access level.