jiaotong university - acsa)

JIAOTONG UNIVERSITY

Centrality Metrics of Importance in Access Behaviors and Malware Detections

Weixuan Mao†, Zhongmin Cai†, Xiaohong Guan†, Don Towsley§

† Xi’an Jiaotong University, China

§ University of Massachusetts, Amherst, USA

ACSAC 2014

New Orleans, LA

JIAOTONG UNIVERSITY

• System resources own different importance

o File types, e.g., dll, tmp

o Registry hives

o More specific and effective

• Importance in security

o Perspectives, e.g., integrity, confidentiality

o Integrity

trustworthiness of system resources

Prevents information from making inappropriate modifications

Motivation

2

ntdll.dll chrome.dlla

Read

b

Read

JIAOTONG UNIVERSITY

• Importance

o Social networks, co-authorship networks, system call graphs

o In security?

• In this paper

1. File/Registry dependency network

Access behaviors

2. Centrality metrics to measure the importance of system resources

Security meanings

3. Importance-metric based malware detection

An application of importance based protection

3

Motivation (cond.)

JIAOTONG UNIVERSITY

• System resources

o Subject: process

o Object: file, registry

• Information flows in access events

o “Read”: subject a reads object b, b →a

o “Write”: subject a writes object b, a →b

• Dependency relationship

• Dependency network

o Nodes:=system resources

o Edges:=dependency relationships

o File dependency network, registry dependency network

o Directed bipartite graph

Dependency Network

Flows to

Depends onb

4

ba

aReadWrite

JIAOTONG UNIVERSITY

• Integrity

o Subject a is allowed to read object b only if its integrity is lower than or equal to integrity of object b, � � ≤ I �

o Subject a is allowed to write object b only if its integrity is higher than or equal to integrity of object b, � � ≥ I �

• Application: Windows Vista

o Mandatory integrity control

o 6 integrity levels

Biba Access Control Model

Depends on, � � ≥ I �

Depends on, � � ≤ I �

5

ba

ba

JIAOTONG UNIVERSITY

• Importance with the perspective of integrity

o Edges point to resources with higher than or equal to importance

o More in-edges lead to more importance

Damages on resources with more in-edges

o Like PageRank

Importance Under Security Meanings

6

Depends on

I � ≤ � �ba

Depends on

� � ≥ I � ba

JIAOTONG UNIVERSITY

• PageRanko

o Integrity perspective

• Dependency networks from benign access traces

• Rank file/registry objects by importance metrico File objects: 1, …, F

o Registry objects: 1, …, R

Importance Metric

7

��

��

��

��

��

��

��

��

��

��

JIAOTONG UNIVERSITY

• Importance-metric based behavioral descriptions

o Construct feature for process i

Importance-metric Based Malware Detections

8

JIAOTONG UNIVERSITY

9

Behavioral Descriptions

Reading files

writing files

Reading registrieswriting

registries

��

��

��

��

��

��

files

Reading files

��

��

��

���

���

���

files files files

1 22

�� = []����,… , ����

, �����,… , ����� ,�

�������, … , ������ �

Writing files Reading registries Writing registries

Files Rank Registries Rank

��, ��, … , �� ,�

… … … …

JIAOTONG UNIVERSITY

• Importance-metric based behavioral descriptions

o Construct the feature for process i

• Distinguish malicious processes with benign processes

o The discriminative classifier

Random Forests

Importance-metric Based Malware Detections

10

JIAOTONG UNIVERSITY

• Data set

o Benign: 27,840 access traces of 534 benign programs from 8 users

o Malicious: 7,257 malware samples

• In each experiment

o 8 sub-experiments

Experimental Settings

11

JIAOTONG UNIVERSITY

12

Experimental Settings (cond.)

Access tracesOf 8 users

Access traces of Malware

Training access traces

Dependency networks

Importance of resources

Training access traces

Testing access traces

Testing access traces

Benign training set

Benign testing set

Malicious training set

Malicious testing set

7 users 1 user p 1-p

FileRegistry

JIAOTONG UNIVERSITY

• Detection results

o 80% of malicious instances for training

o 8 sub-experiments: U1-U8

Evaluations

13

JIAOTONG UNIVERSITY

• Most important objects

o Devise more specific protections

o Reducing time consumptions

• Behavioral descriptions

o Complete behavior

o Partial behavior

File objects at top �′ rank positions, �� < �

�� = [������, ��

����, … , �������, ��

�����, �������, … , ���

�����]

Registry objects at top �′ rank positions, �� < �

�� = [������, ��

����, … , �������, ��

�����, �������, … , ���

�����]

• Object coverage

o File objects,

o Registry objects,

Prioritizing Protections

14

��, ��, … , ���

��

, … , ��

��, ��, … , ���

��

, … , ��

JIAOTONG UNIVERSITY

• Detection results

o Reducing coverage of protections does not affect much performance, in terms of average AUC

o Less degradation for file objects than registry objects

o Less time consumption as coverage reducing

Evaluations

File objects Registry objects

15

Complete behavior

JIAOTONG UNIVERSITY

• The dependency network

o Access behaviors between system resources

o Importance of resources in security

Integrity perspective

Confidentiality perspective

• Importance metric based malware detection

o 7,257 malware samples, 27,840 benign access traces

o 93.94% TPR at 0.1% FPR

o Comparison: Comodo instant malware analysis (CIMA)

73.24% TPR, 5.37% FPR

o Prioritizing protections

• Future work

o Fine-grained objects, e.g., memory blocks

o Risk assessments

Conclusion & Future Work

16

JIAOTONG UNIVERSITY

Thank you!

Questions?

wxmao@sei.xjtu.edu.cn

17