jiaotong university - acsa)
TRANSCRIPT
JIAOTONG UNIVERSITY
Centrality Metrics of Importance in Access Behaviors and Malware Detections
Weixuan Mao†, Zhongmin Cai†, Xiaohong Guan†, Don Towsley§
† Xi’an Jiaotong University, China
§ University of Massachusetts, Amherst, USA
ACSAC 2014
New Orleans, LA
JIAOTONG UNIVERSITY
• System resources own different importance
o File types, e.g., dll, tmp
o Registry hives
o More specific and effective
• Importance in security
o Perspectives, e.g., integrity, confidentiality
o Integrity
trustworthiness of system resources
Prevents information from making inappropriate modifications
Motivation
2
ntdll.dll chrome.dlla
Read
b
Read
JIAOTONG UNIVERSITY
• Importance
o Social networks, co-authorship networks, system call graphs
o In security?
• In this paper
1. File/Registry dependency network
Access behaviors
2. Centrality metrics to measure the importance of system resources
Security meanings
3. Importance-metric based malware detection
An application of importance based protection
3
Motivation (cond.)
JIAOTONG UNIVERSITY
• System resources
o Subject: process
o Object: file, registry
• Information flows in access events
o “Read”: subject a reads object b, b →a
o “Write”: subject a writes object b, a →b
• Dependency relationship
• Dependency network
o Nodes:=system resources
o Edges:=dependency relationships
o File dependency network, registry dependency network
o Directed bipartite graph
Dependency Network
Flows to
Depends onb
4
ba
aReadWrite
JIAOTONG UNIVERSITY
• Integrity
o Subject a is allowed to read object b only if its integrity is lower than or equal to integrity of object b, � � ≤ I �
o Subject a is allowed to write object b only if its integrity is higher than or equal to integrity of object b, � � ≥ I �
• Application: Windows Vista
o Mandatory integrity control
o 6 integrity levels
Biba Access Control Model
Depends on, � � ≥ I �
Depends on, � � ≤ I �
5
ba
ba
JIAOTONG UNIVERSITY
• Importance with the perspective of integrity
o Edges point to resources with higher than or equal to importance
o More in-edges lead to more importance
Damages on resources with more in-edges
o Like PageRank
Importance Under Security Meanings
6
Depends on
I � ≤ � �ba
Depends on
� � ≥ I � ba
JIAOTONG UNIVERSITY
• PageRanko
o Integrity perspective
• Dependency networks from benign access traces
• Rank file/registry objects by importance metrico File objects: 1, …, F
o Registry objects: 1, …, R
Importance Metric
7
��
��
��
��
��
��
��
��
��
��
JIAOTONG UNIVERSITY
• Importance-metric based behavioral descriptions
o Construct feature for process i
Importance-metric Based Malware Detections
8
JIAOTONG UNIVERSITY
9
Behavioral Descriptions
Reading files
writing files
Reading registrieswriting
registries
��
��
��
��
��
��
files
Reading files
��
��
��
���
���
���
files files files
1 22
�� = []����,… , ����
, �����,… , ����� ,�
�������, … , ������ �
Writing files Reading registries Writing registries
Files Rank Registries Rank
��, ��, … , �� ,�
… … … …
JIAOTONG UNIVERSITY
• Importance-metric based behavioral descriptions
o Construct the feature for process i
• Distinguish malicious processes with benign processes
o The discriminative classifier
Random Forests
Importance-metric Based Malware Detections
10
JIAOTONG UNIVERSITY
• Data set
o Benign: 27,840 access traces of 534 benign programs from 8 users
o Malicious: 7,257 malware samples
• In each experiment
o 8 sub-experiments
Experimental Settings
11
JIAOTONG UNIVERSITY
12
Experimental Settings (cond.)
Access tracesOf 8 users
Access traces of Malware
Training access traces
Dependency networks
Importance of resources
Training access traces
Testing access traces
Testing access traces
Benign training set
Benign testing set
Malicious training set
Malicious testing set
7 users 1 user p 1-p
FileRegistry
JIAOTONG UNIVERSITY
• Detection results
o 80% of malicious instances for training
o 8 sub-experiments: U1-U8
Evaluations
13
JIAOTONG UNIVERSITY
• Most important objects
o Devise more specific protections
o Reducing time consumptions
• Behavioral descriptions
o Complete behavior
o Partial behavior
File objects at top �′ rank positions, �� < �
�� = [������, ��
����, … , �������, ��
�����, �������, … , ���
�����]
Registry objects at top �′ rank positions, �� < �
�� = [������, ��
����, … , �������, ��
�����, �������, … , ���
�����]
• Object coverage
o File objects,
o Registry objects,
Prioritizing Protections
14
��, ��, … , ���
��
, … , ��
��, ��, … , ���
��
, … , ��
JIAOTONG UNIVERSITY
• Detection results
o Reducing coverage of protections does not affect much performance, in terms of average AUC
o Less degradation for file objects than registry objects
o Less time consumption as coverage reducing
Evaluations
File objects Registry objects
15
Complete behavior
JIAOTONG UNIVERSITY
• The dependency network
o Access behaviors between system resources
o Importance of resources in security
Integrity perspective
Confidentiality perspective
• Importance metric based malware detection
o 7,257 malware samples, 27,840 benign access traces
o 93.94% TPR at 0.1% FPR
o Comparison: Comodo instant malware analysis (CIMA)
73.24% TPR, 5.37% FPR
o Prioritizing protections
• Future work
o Fine-grained objects, e.g., memory blocks
o Risk assessments
Conclusion & Future Work
16