1 / 25

Automatic Generation of Remediation Procedures for Malware Infections

Automatic Generation of Remediation Procedures for Malware Infections. Roberto Paleari , Universit`a degli Studi di Milano Lorenzo Martignoni , Universit`a degli Studi di Udine Emanuele Passerini , Universit`a degli Studi di Milano Drew Davidson, University of Wisconsin

abbott
Download Presentation

Automatic Generation of Remediation Procedures for Malware Infections

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automatic Generation of Remediation Procedures for Malware Infections Roberto Paleari,Universit`a degli Studi di Milano Lorenzo Martignoni, Universit`a degli Studi di Udine EmanuelePasserini, Universit`a degli Studi di Milano Drew Davidson, University of Wisconsin Matt Fredrikson, University of Wisconsin Jon Giffin, Georgia Institute of Technology SomeshJha University of Wisconsin 2010 USENIX Security Symposium

  2. Outline Introduction Related Work System Overview System Details Evaluation Discussion Conclusion

  3. Introduction • After infection, • Format disk and re-install OS • Data backups • Commercial anti-malware software • *TRIES TO* Revert the effects performed by malware • Unstable, or even failed

  4. Introduction • In this work… • Given binary malware • Automatically generate remediation procedures • Do not require the information relating to the infection • 98% of the harmful effects reverted • http://pages.cs.wisc.edu/~mfredrik/remediate/

  5. Related Work • Behavior-based malware analysis • Dynamic analysis: • A layered architecture for detecting malicious behaviors, RAID 2008 • Panorama: Capturing system-wide information flow for malware detection and analysis, ACM CCS 2007 • Behavior-based detection • Effective and efficient malware detection at the end host, USENIX Security Symposium 2009 • Clustering • Scalable, behavior-based malware clustering, NDSS 2009

  6. Related Work • Execution of Untrusted Applications • Back to the future: A framework for automatic malware removal and system repair, ACSAC 2006 • One-way isolation: An effective approach for realizing safe execution environments, NDSS 2005

  7. System Overview

  8. System Overview

  9. System Overview • High-Level Behavior Extraction • Analyze the semantics of a program to produce a sequence of meaningful behaviors

  10. System Overview • Behavior Generalization • Attempt to over-approximate existing paths, thus encompassing future paths • Cluster all instances of the same high-level behavior together • Analyze each cluster to generalize the arguments • c:\windows\po[[:alpha:]]{3}.exe

  11. System Overview • Remediation Procedure Generation • Attempt to match each resource (file, process, or registry key) on the system against the constraints associated with each generalized high-level behavior • c:\windows\po[[:alpha:]]{3}.exe

  12. System Details • High-Level Behavior Extraction • Use QEMU to monitor a malware for its system call trace

  13. System Details Behavior Clustering

  14. System Details • Comparison • isomorphic( )

  15. System Details • Behavior Generalization • Probabilistic finite-state automaton (PFSA) • Simulated beam annealing algorithm

  16. System Details

  17. System Details • Generating Concrete Remediation Procedures • Newly-created resources DropAndAutostart( file, data, key, value, regdata) DropAndAutostart( “c : \windows\po[[: alpha :]]{3}.exe”, data, “...Windows\CurrentVersion\Run”, “(vq|qv)”, “po[[:alpha:]]{3}.exe” )

  18. System Details • Generating Concrete Remediation Procedures • Infected Resources • Deleted Resources • Not implemented

  19. Evaluation Over 200 malicious programs Execute a sample 3 times in 5 different environments to collect trace data Infect 25 test environments which are all distinct from those used to collect traces Execute the generated remediation procedure Compare the remediated state to the original state

  20. Evaluation

  21. Evaluation • False positives • One sample: very general regular expression • *.exe • Future work Context-free grammars

  22. Discussion • Limitation • Finding all high-level malicious behaviors can not be guaranteed. • Specific environment is required • Not enough generalizing traces • Evasion techniques

  23. Conclusion Automatically generating malware remediation procedures Dynamic analysis Behavior generalization Effectively remediate many possible executions Good performance Low false rate

More Related