A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International...
-
Upload
henry-phillips -
Category
Documents
-
view
231 -
download
3
Transcript of A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International...
![Page 1: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/1.jpg)
1
A System Call Analysis Method with MapReduce for Malware Detection
2011 IEEE 17th International Conference on Parallel and Distributed Systems
Shun-Te Liu *, Hui-ching Huang*
Information & Communication Security Lab TL, Chunghwa Telecom Co., Ltd.
Yi-Ming Chen
Department of Information ManagementNational Central University
102062602
黃建忠
/22
![Page 2: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/2.jpg)
2
outline
Introduction Detect malware behavior Evaluation Conclution
/22
![Page 3: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/3.jpg)
3
Malware by categories
/22
![Page 4: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/4.jpg)
4
How to detect malware
Signature-based approach
Behavior-based approach
/22
![Page 5: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/5.jpg)
/225
Behavior-based approach
Detect malware by real-time monitoring mechanisms
Ex: system call monitoring (procMon)
![Page 6: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/6.jpg)
6
Malicious behavior patterns
Privacy invasion
Self-replication
Persistent behavior
/22
![Page 7: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/7.jpg)
7
Mordern malware
Discrete behavior download malicious module
Module-base malware driver or DLL
/22
![Page 8: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/8.jpg)
/228
requirements
the collected and analyzed data is much richer (system calls)
module dependency
![Page 9: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/9.jpg)
/229
Client–server model
![Page 10: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/10.jpg)
10
MapReduce
A programming model for processing large data sets with a parallel, distributed algorithm on a cluster
Apache Hadoop
/22
![Page 11: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/11.jpg)
11
Persistent behavior
Malware
ASEP ( auto-start extensibility point)
Remain alive after system reboot
/22
![Page 12: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/12.jpg)
12
ASEP(1)
Can be a file or registry keys
Ex: autorun.ini
/22
![Page 13: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/13.jpg)
/2213
ASEP(2) HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\ Windows NT\ CurrentVersion\
Winlogon\Notify (dll)
HKLM\System\CurrentControlSet\ (driver)
![Page 14: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/14.jpg)
/2214
Persistent behavior module(1)
![Page 15: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/15.jpg)
15
Persistent behavior module(2)
/22
![Page 16: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/16.jpg)
16
Dependency Relationship(1)
ASEP is seen as a part of module white list filter
/22
![Page 17: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/17.jpg)
17
Dependency Relationship(2)
Mi Mj
/22
![Page 18: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/18.jpg)
18
Dependency structure matrix
Check diagonal cells
A B , B C , C A
/22
![Page 19: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/19.jpg)
19
Accuracy
/22
![Page 20: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/20.jpg)
20
Performance
/22
![Page 21: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/21.jpg)
21
contribution
Propose a relation-based method to correlate the discrete behavior of malware.
Implement a prototype of Maltrix on the Hadoop platform.
/22
![Page 22: A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.](https://reader035.fdocument.pub/reader035/viewer/2022081506/56649e555503460f94b4ca8a/html5/thumbnails/22.jpg)
22
challenges
Some malwares don’t require ASEP
The cost of data transmission hasn't been measured.
Anti-api hooking
Without using system calls
/22