jiaotong university - acsa)

17
JIAOTONG UNIVERSITY Centrality Metrics of Importance in Access Behaviors and Malware Detections Weixuan Mao†, Zhongmin Cai†, Xiaohong Guan†, Don Towsley§ † Xi’an Jiaotong University, China § University of Massachusetts, Amherst, USA ACSAC 2014 New Orleans, LA

Upload: others

Post on 21-Feb-2022

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

Centrality Metrics of Importance in Access Behaviors and Malware Detections

Weixuan Mao†, Zhongmin Cai†, Xiaohong Guan†, Don Towsley§

† Xi’an Jiaotong University, China

§ University of Massachusetts, Amherst, USA

ACSAC 2014

New Orleans, LA

Page 2: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• System resources own different importance

o File types, e.g., dll, tmp

o Registry hives

o More specific and effective

• Importance in security

o Perspectives, e.g., integrity, confidentiality

o Integrity

trustworthiness of system resources

Prevents information from making inappropriate modifications

Motivation

2

ntdll.dll chrome.dlla

Read

b

Read

Page 3: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• Importance

o Social networks, co-authorship networks, system call graphs

o In security?

• In this paper

1. File/Registry dependency network

Access behaviors

2. Centrality metrics to measure the importance of system resources

Security meanings

3. Importance-metric based malware detection

An application of importance based protection

3

Motivation (cond.)

Page 4: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• System resources

o Subject: process

o Object: file, registry

• Information flows in access events

o “Read”: subject a reads object b, b →a

o “Write”: subject a writes object b, a →b

• Dependency relationship

• Dependency network

o Nodes:=system resources

o Edges:=dependency relationships

o File dependency network, registry dependency network

o Directed bipartite graph

Dependency Network

Flows to

Depends onb

4

ba

aReadWrite

Page 5: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• Integrity

o Subject a is allowed to read object b only if its integrity is lower than or equal to integrity of object b, � � ≤ I �

o Subject a is allowed to write object b only if its integrity is higher than or equal to integrity of object b, � � ≥ I �

• Application: Windows Vista

o Mandatory integrity control

o 6 integrity levels

Biba Access Control Model

Depends on, � � ≥ I �

Depends on, � � ≤ I �

5

ba

ba

Page 6: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• Importance with the perspective of integrity

o Edges point to resources with higher than or equal to importance

o More in-edges lead to more importance

Damages on resources with more in-edges

o Like PageRank

Importance Under Security Meanings

6

Depends on

I � ≤ � �ba

Depends on

� � ≥ I � ba

Page 7: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• PageRanko

o Integrity perspective

• Dependency networks from benign access traces

• Rank file/registry objects by importance metrico File objects: 1, …, F

o Registry objects: 1, …, R

Importance Metric

7

��

��

��

��

��

��

��

��

��

��

Page 8: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• Importance-metric based behavioral descriptions

o Construct feature for process i

Importance-metric Based Malware Detections

8

Page 9: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

9

Behavioral Descriptions

Reading files

writing files

Reading registrieswriting

registries

��

��

��

��

��

��

files

Reading files

��

��

��

���

���

���

files files files

1 22

�� = []����,… , ����

, �����,… , ����� ,�

�������, … , ������ �

Writing files Reading registries Writing registries

Files Rank Registries Rank

��, ��, … , �� ,�

… … … …

Page 10: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• Importance-metric based behavioral descriptions

o Construct the feature for process i

• Distinguish malicious processes with benign processes

o The discriminative classifier

Random Forests

Importance-metric Based Malware Detections

10

Page 11: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• Data set

o Benign: 27,840 access traces of 534 benign programs from 8 users

o Malicious: 7,257 malware samples

• In each experiment

o 8 sub-experiments

Experimental Settings

11

Page 12: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

12

Experimental Settings (cond.)

Access tracesOf 8 users

Access traces of Malware

Training access traces

Dependency networks

Importance of resources

Training access traces

Testing access traces

Testing access traces

Benign training set

Benign testing set

Malicious training set

Malicious testing set

7 users 1 user p 1-p

FileRegistry

Page 13: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• Detection results

o 80% of malicious instances for training

o 8 sub-experiments: U1-U8

Evaluations

13

Page 14: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• Most important objects

o Devise more specific protections

o Reducing time consumptions

• Behavioral descriptions

o Complete behavior

o Partial behavior

File objects at top �′ rank positions, �� < �

�� = [������, ��

����, … , �������, ��

�����, �������, … , ���

�����]

Registry objects at top �′ rank positions, �� < �

�� = [������, ��

����, … , �������, ��

�����, �������, … , ���

�����]

• Object coverage

o File objects,

o Registry objects,

Prioritizing Protections

14

��, ��, … , ���

��

, … , ��

��, ��, … , ���

��

, … , ��

Page 15: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• Detection results

o Reducing coverage of protections does not affect much performance, in terms of average AUC

o Less degradation for file objects than registry objects

o Less time consumption as coverage reducing

Evaluations

File objects Registry objects

15

Complete behavior

Page 16: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

• The dependency network

o Access behaviors between system resources

o Importance of resources in security

Integrity perspective

Confidentiality perspective

• Importance metric based malware detection

o 7,257 malware samples, 27,840 benign access traces

o 93.94% TPR at 0.1% FPR

o Comparison: Comodo instant malware analysis (CIMA)

73.24% TPR, 5.37% FPR

o Prioritizing protections

• Future work

o Fine-grained objects, e.g., memory blocks

o Risk assessments

Conclusion & Future Work

16

Page 17: JIAOTONG UNIVERSITY - ACSA)

JIAOTONG UNIVERSITY

Thank you!

Questions?

[email protected]

17