Synthesizing Near-Optimal Malware Specifications from Suspicious

Synthesizing Near-Optimal Malware Specifications from Suspicious

Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors Somesh Jha∗, Matthew Fredrikson∗, Mihai Christodoresu†, Reiner Sailer‡, Xifeng Yan§ ∗University of Wisconsin–Madison, †Qualcomm Research Silicon Valley, ‡IBM T.J Watson Research Center, §University of California–Santa Barbara Abstract—Behavior-based detection techniques are a promis- and errors. ing solution to the problem of malware proliferation. However, We make the observation that behavioral specifications they require precise specifications of malicious behavior that do not result in an excessive number of false alarms, while still are best viewed as a form of discriminative specification.A remaining general enough to detect new variants before tradi- discriminative specification describes the unique properties tional signatures can be created and distributed. In this paper, of a given class, in contrast to the properties exhibited by we present an automatic technique for extracting optimally discriminative specifications a second mutually-exclusive class. This paper presents an , which uniquely identify a class automated technique that combines program analysis, graph of programs. Such a discriminative specification can be used by a behavior-based malware detector. Our technique, based mining, and stochastic optimization to synthesize malware on graph mining and stochastic optimization, scales to large behavior specifications. We represent program behaviors as classes of programs. When this work was originally published, graphs that are mined for discriminative patterns. As there the technique yielded favorable results on malware targeted are many ways in which malware can accomplish the same towards workstations (~86% detection rates on new malware). goal, we use these patterns as building blocks for construct- We believe that it can be brought to bear on emerging malware- based threats for new platforms, and discuss several promising ing discriminative specifications that are general across vari- avenues for future work in this direction. ants, and thus robust to severe obfuscations. Furthermore, because our graph mining and synthesis procedures are I. INTRODUCTION agnostic to the details of the underlying graph representation, our technique will benefit from ongoing advances in program Although behavior-based malware detection techniques analysis and malware research. continue to grow in popularity, the predominant technique This paper presents the following contributions: for detecting malware remains signature-based scanning. Meanwhile, malware authors continue to perfect the science • We divide the specification problem into two automat- of quickly generating large numbers of signature-resistant able tasks: (1) mining discriminative behavior patterns variants, giving them the upper-hand. Kaspersky’s most from a set of samples and (2) synthesizing a discrimina- recent annual report documented an average of roughly tive specification from multiple sets of mined behaviors. 200,000 new samples each day [1], up 60% from the 125,000 These tasks mirror a human analyst’s workflow, where daily new samples seen at the end of the previous year. This new malware samples are first analyzed for potentially leaves the window of vulnerable exposure—the period in malicious behaviors, and subsequently merged with which a new variant exists but suitable methods for detecting known behaviors to construct a good specification. it do not—wide open. • We discuss a specification synthesis algorithm that Behavior-based detectors have been proposed as a remedy mirrors this workflow, and its evaluation on a corpus to this problem. It is more challenging for an adversary to of desktop malware. Our experience shows that it mutate the behavior of a malware while still maintaining automatically identifies both behaviors documented by its intended payload, so in principle this approach holds AV-industry analysts as well as new behaviors, provides promise. However, the challenge remains of constructing favorable detection statistics, and scales agreeably with effective specifications of malicious behavior, i.e., those reasonable parameters. that are general enough to detect new variants but spe- • We discuss several avenues for future research that are cific enough to avoid false positives. The most reliable likely to yield useful results when applying our tech- technique to date for generating behavioral specifications nique to the newer, emerging malware-related threats treats the practice as more of an art than a science, relying that are prevalent on the web and mobile platforms. almost entirely on manual analysis and human ingenuity— an expensive, time-consuming, and error-prone process that The remainder of the paper is organized as follows. In provides no quantitative guarantees of effectiveness. In this Section 2, we present the algorithm. In Section 3 we briefly paper we address the challenge of automatically creating discuss performance. In Section 4 we discuss promising behavioral specifications that strike a suitable balance in this future avenues for research, and in Section 5 we discuss regard, thus removing the dependence on human expertise related work. 978-1-4799-2535-3/13/$31.00 c 2013 IEEE 41 Subset 1 Behavior Mining Inputs Behavior Mining Significant Specification Synthesis (§4) Graphs 1 Behaviors Malware Subset 2 Optimally Behavior Mining Structural(§3) SignificantSignificant GraphsGraphs 1 BehaBehaviorsviors Discriminative Leap Concept Dependence Significant Specifications StructuralStructural Analysis Subset 3 Graphs Mining Behaviors LeapLeap and StructuralMiningMining Simulated Leap Annealing Benign Apps Mining HOLMES Figure 1. HOLMES combines program analysis, structural leap mining, and concept analysis to create optimal specifications. Table I L SOME OF THE SECURITY LABELS (AND CORRESPONDING LOGICAL vertices and edges with formulas in some logic dep CONSTRAINTS) THAT ALLOW US TO CAPTURE INFORMATION FLOWS. capable of expressing constraints on operations and the dependencies between their arguments. Security Label Description NameOfSelf The name of the currently execut- We enhance our dependence graphs by assigning special- ing program. IsRegistryKeyForBootList A Windows registry key listing ized labels to particular files, directories, registry keys, and software set to start on boot. devices based on their significance to the system. The Mi- IsRegistryKeyForWindows A registry key that contains con- crosoft Windows documentation [2] lists a large number of figuration settings for the operat- ing system. files, directories, registry keys, and devices that are relevant IsSystemDirectory The Windows system directory. to system security, stability, and performance. Table I lists a IsRegistryKeyForBugfix The Windows registry key con- few of the labels we apply to the nodes in the constructed de- taining list of installed bugfixes and patches. pendency graphs. These labels, although operating system- IsRegistryKeyForWindowsShell The Windows registry key con- specific, are not tied to any particular class of malware or trolling the shell. benign programs. They allow our algorithm to recognize as IsDevice A named kernel device. IsExecutableFile Executable file. potentially malicious otherwise benign behaviors, such as In our graphical representation of behaviors, the security labels appear as modifying the registry or reading certain files. For example, arguments constraints inside nodes. For example, in 2(a), the programs that modify bugfix registry settings or executable NtOpenKey node has its argument Y2 constrained by the security label files are more likely to engage in further, more elaborate IsRegistryKeyForBugfix. malicious behaviors than those that do not. Several example behavior graphs are given in Figure 2. Using this representation, we wish to derive a behavioral II. THE ALGORITHM specification that is descriptive of a given set of programs A. Background & Overview (the malicious set of programs) but does not describe any For the purposes of this work, we define the behavior program in a second set (the benign set of programs). of a program as its effect on the state of the system over Our experience suggests that any behavior common to the which it executes. On modern desktop platforms, including entirety of a diverse set of malware samples will not be the Windows operating system to which we focus our effots, useful in the manner required of a malware specification, as the portion of the system state that is pertinent to malicious it is likely to show up in benign programs as well (e.g., behavior is accessible only via system calls. Thus, we define common file operations, memory allocation, etc.). Thus, a representation of software behavior in terms of the system before searching for discriminative patterns, we partition the calls, and their inter-relationships, made by a single program malware set by family to “draw out” the meaningful mali- executing on the host. cious behaviors. This leads us to the high-level workflow of our technique, which is presented in Figure 1 and proceeds Definition 1 (Behavior Graph): A behavior graph g is a as follows: structure (V,E,α,β) where: I. The known, labeled malware is divided into disjoint • the set of vertices V corresponds to operations from families using existing antivirus-industry labels. some alphabet Σ of system calls, • the set of edges E ⊆ V × V corresponds to dependen- II. Using existing techniques for dependence-graph con- cies between operations, struction [3], a graph is constructed for each malware • the labeling function

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us