Detection of Malware Downloads via Graph Mining (AsiaCCS '16)

Real-Time Detection of Malware Downloads via Large-Scale URL→File→Machine Graph Mining

Babak Rahbarinia ; Marco Balduzzi ; Roberto PerdisciAsiaCCS 2016, June 02, Xi’an, China

Introduction

Traditional AV is dead?Signature-based VS. Statistical-based

Traditional AVs inefficiency (they don’t work!)polymorphism, code obfuscation, packers, ...

URL blacklistingstatic, lags behindtime consuming analysis of individual URLs

Local VS. GlobalLocal: looks at one potential malware at a time

Global: leverages global situational awareness

Introduction

Large-scale analysis of behavioral patterns“Who - where - what” relationshipGlobal situation awarenessGraph-based machine learning

Combination of system- and network-level info

Mastino:Real-time and concurrent detection of download

eventsReal-world deployment on million of machines

(Internet-scale)3

Approach

Static+dynamic detection [Many]

Graph mining detection: Polonium [KDD10]Offline approach VS real-timeOnly files classification VS + URLs (download event)Bipartite VS tripartite graphProprietary reputation function VS open

AMICO [Esorics13]HTTP-centric VS protocol-independentOnly works in LANs VS “move across networks”

Google’s CAMP [NDSS13]Browser-centric VS system-centric

(Quick) Related Work

Download GraphURLs

Files Machines

AnnotationsURLs

Files Machines

● Age of URL, domain, path, IP

● Size● Lifetime, prevalence● Packed, signed

● Download behavior● Client processes8

Files Machines

Labeling

Machines’ reputations based on their download/activity history 9

● B: Alexa (-hosting)● M: GSB + WRS

● B: Grid + VT● M: VT

Features and classifier

url1 url2 url3

f behavior-basedfeatures = {URL stats, machine stats}

machine1 machine3machine2

compute min, max, med, avg, and std

URL’s R + R of [FQD, e2LD, path, path pattern, query string, query pattern]

Machine’s R

Files Features

url1 url2 url3

Machine’s R

f intrinsicfeatures = {file size, prevalence,

packed, signed, ...}+

Files Features

url1 url2 url3

Machine’s R

packed, signed, ...}

Files Features

URLs Features

u + {all URLs sharing a component with u}

file1 file2 file3

u behavior-basedfeatures = {files stats, machine stats}

File’s R

Machine’s R

URLs Features

u + {all URLs sharing a component with u}

file1 file2 file3

u behavior-basedfeatures = {files stats, machine stats}

File’s R

Machine’s R

u intrinsicfeatures = {URL, FQD,

e2LD recency}+

url1 url2 url3

Machine’s R

packed, signed, ...}

Files Features

Example #1

Files Machines

What could be said about F1 and F2?

Example #1URLs

Files Machines

Example #1URLs

Files Machines

Example #2

What could be said about F1?All neighbors are unknown

Machines17

Example #2

FQD Path

All URLs that share the same components as u

Machines

All URL components:* FQD* e2LD* Path* Path pattern* Query string* Query string pattern* IP* IP/24

Example #2

FQD Path

Machines19

Example #2

FQD Path

Machines

Deployment

TimeDay 1 Day 2 Today

...Yesterday

Time Window of 10 days

Deployment

TimeDay 1 Day 2 Today

...Yesterday

Trained classifiers

URL classifier

SHA1 classifier

Real-time classification

of URLs & SHA1s

Detection of

Malicious Download Events

Data Collection

7 months of data (Jan to Aug 2014)d = (u; f; m) Hundreds of thousands of machines, files, urlsMillion of nodes

Labeling:Files: VirusTotal, GRID [Trend]URLs: Alexa, Google Safe Browsing, WRS [Trend]

Annotations:File census and GUID census [Trend]Virus Total (signed..)

Train & test for new download events

New download events

Detection results new events over 7 periods of 5 days (35 days, total)

Files URLs

Combined detection of download events

(u = m) v (f = m) -> d = m1 day experiment (5 months)

Efficiency: requests are served in ~0.16 sec84% of detection: 0-days (unknown)

Wuachos.A DropperFilename file_saw.exe

URLs with _no_ reputationLow prevalenceInvalid signaturePath pattern with R of 0.72 (malicious) [*]

1,445 URLs serving 182 polymorphic malware

[*] /f/1392240240/1255385580/2 , /f/1392240120/4165299987/2 -> /H1/I10/I10/I1

Case Study #1

Somoto AdwareFilename FreeZipSetup-[\d].exe

Packed, short lifetime, prevalence = 01 related machine downloaded 1 known

sample during our time window T=10days

Detected a campaign of 695 samples616 were unknown to VirusTotal

61 unknown +6 months

Case Study #2

TTAWinCDM Spyware

Machine and URL with _no_ reputationLow lifetime&prevelance&countries

Mismatch on downloading processAcrobat process VS. Unauthoritative domain

Flash 0-day (+2 month)

Case Study #3

Analysis of Window T

Bonus #1

Features Analysis

Bonus #2

Files analysis URLs analysis

Mastino: real-time detection of malware downloads by passive clients monitoring

Content agnostic, behavioral analysis

Real-world deployment on large-scaleOver 95% TP / 0.5% FP0-days

Conclusions

Thank you!

@embytehttp://www.madlab.it

Babak Rahbarinia ; Marco Balduzzi ; Roberto Perdisci

Questions?

Detection of Malware Downloads via Graph Mining (AsiaCCS '16)

Internet

Windows Malware Firewall: Remove Windows Malware Firewall

MALWARES MALWARE REVIEWED ISE DE Malware Reviewed · MALWARES There are public reports about spreading of malware named as ServHelper malware. It is a backdoor malware used by attacker

Large-Scale Malware Indexing Using Function-Call Graphshuxin/papers/xin_SMIT_extend.pdf · query processing methods cannot scale to a large graph database; ... exact graph or subgraph

Malware & Anti-Malware

DELEGATE ACCOMMODATION AsiaCCS 2019 · 2019-07-15 · Prepared by Event Services . DELEGATE ACCOMMODATION . AsiaCCS 2019 . CORDIS, AUCKLAND . 83 Symonds St, Auckland Cordis, Auckland

Q4 Home Anti-Malware Protection OCT-DEC 2018 · different results from this report into one easy-to-understand graph. The graph below takes into account not only each product’s

Sonia Jahid, Prateek Mittal, Nikita Borisov University of Illinois at Urbana-Champaign Presented by Nikita Borisov ASIACCS 2011

Ch 12: Covert Malware Launching - samsclass.info · Practical Malware Analysis Ch 12: Covert Malware Launching Last revised: 4-10-17. Hiding Malware • Malware used to be visible

Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware … · 2011-08-16 · Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware

Ontology-driven Knowledge Graph for Android Malware

(2013) similarity metric method of obfuscated malware using function call graph

Polonium: Tera-Scale Graph Mining and Inference for ...dchau/polonium_sdm2011.pdf · that detects malware through large-scale graph infer- ... Technical term Synonyms Meaning Malware

Malware Analysis Analysis.pdf · Definisi Malware Analysis • What is a malware? • Malware (malicious software) ... Malware Sinkronisasi Token • Pelaku: Zeus Banking Trojan •

Practical Malware Analysis: Ch 11: Malware Behavior

Malware and Anti-Malware Seminar by Benny Czarny

Mobile Malware Network View - Black Hat · Mobile Malware Network View ... ... Windows Malware impacts mobile

Intrusion Detection and Malware Analysis - Malware collection134.2.173.140/lehre/ws10/ids-malware/12-malware-collection.pdf · Intrusion Detection and Malware Analysis Malware collection

THE EVOLUTION OF MALWARE & FUTURE MALWARE MITIGATION

ACM AsiaCCS · the ACM International Symposium on Blockchain and Secure Critical Infrastructure (BSCI 2019). Putting together ASIACCS 2019 was a team effort. We would first like to

Malware and anti-malware (fun with Trojans) - Z. …z.cliffe.schreuders.org/edu/FS/Malware and anti-malware... · 2014-04-02 · Malware and anti-malware (fun with Trojans) ... with