1 / 19

Reporter: 林佳宜 Email: M98570015@mail.ntou.tw 2010/9/13

BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection. Reporter: 林佳宜 Email: M98570015@mail.ntou.edu.tw 2010/9/13. 1. References. Brian Bowen, Pratap Prabhu, Vasileios P. Kemerlis, Stelios Sidiroglou,

eagan-wolf
Download Presentation

Reporter: 林佳宜 Email: M98570015@mail.ntou.tw 2010/9/13

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection Reporter: 林佳宜 Email: M98570015@mail.ntou.edu.tw 2010/9/13 1

  2. References • Brian Bowen, Pratap Prabhu, Vasileios P. Kemerlis, Stelios Sidiroglou, Salvatore Stolfo and Angelos Keromytis. "BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection." RAID 2010.

  3. Outline • Introduction • BotSwindler • Architecture • Experiment results • Conclusion

  4. Introduction[1/2] • The creation and rapid growth of an underground economy • rise and up to 9% of the machines in an enterprise are now bot-infected • crime-driven bots that harvest sensitive data • grabbing and key stroke logging, to screenshots and video capture • A recent study focused of Zeus • the largest botnet with over 3.6 million PC infections in the US • bypassed up-to-date antivirus software 55% • Traditional crimeware detection techniques • comparing signatures • anomaly-based detection

  5. Introduction[1/2] • Drawback of conventional host-based antivirus software • it vulnerable to evasion or subversion by malware • disable defenses such as antivirus • A novel system designed for the proactive detection of credential stealing malware on VM-based hosts • BotSwindler

  6. BotSwindler • Relies upon an out-of-host software agent to drive user simulations • Convince malware residing within the guest OS • captured legitimate credentials • The simulator is tamper resistant and difficult to detect by malware

  7. Simulation behaviors • To generate simulations of human user • BotSwindler relies on a formal language VMSim • provides a flexible way to generate variable simulation behaviors • Using various models for • keystroke speed • mouse speed • frequency of errors made during typing • One of the challenges in designing an out-of-host simulator • verify the success or failure of mouse and keyboard events that are passed to the guest OS • developed a low overhead approach, called virtual machine verification (VMV)

  8. VMSim language • The language provides a flexible way • generate variable simulation behaviors and workflows • the capturing of mouse and keyboard events of a real user • recorded map to the constructs of the VMSim language

  9. BotSwindler architecture

  10. Prototype of BotSwindler • BotSwindler using a modified version of QEMU running on a Linux host • User simulation is implemented using X11 libraries • VMSim for expressing simulated user behavior • run the simulator outside of a virtual machine • pass its actions to the guest host by utilizing the X-Window subsystem • replayed via the Xorg Record and XTest extension libraries • BotSwindler can operate on any guest OS • by the underlying hypervisor or virtual machine monitor (VMM)

  11. Machine learning distinguish simulations • We performed a computational analysis • if attackers could employ machine learning algorithms on keystrokes to distinguish simulations • Experiments running Naive Bayes and Support Vector Machine (SVM) classifier • real and generated timing data • nearly identical classification results • Killourhy andMaxion’s benchmark data set • In our study with 25 human judges • evaluating 10 videos of BotSwindler actions • the judges’ average success rate was 46%

  12. Bait credentials decoy • The system supports a variety of different types of bait credentials decoy • Gmail • PayPal • banking credentials • Our system automatically monitors the decoy accounts • misuse to signal exploitation and thus detect the host infection by credential stealing malware

  13. Decoy monitor • Custom monitors for PayPal and Gmail accounts • the services that provide the time of last login • The PayPal and Gmail accounts • the IP address of the last login • If there is any activity from IP addresses other than the BotSwindler host IP • an alert is triggered • alerts are also triggered when the monitor cannot login to the bait account

  14. Experiment results • Our results from two separate experiments • First experiment with 116 Zeus samples • used 5 PayPal decoys and 5 Gmail decoys • received 14 distinct alerts using PayPal and Gmail decoys • Second experiment with 59 different Zeus samples • received 3 alerts from our banking decoys

  15. Virtual Machine Verification Overhead

  16. Contributions • BotSwindler architecture • VMSim language • Virtual Machine Verification (VMV) • Real malware detection results • Statistical and information theoretic analysis • Believability user study results • Performance overhead results

  17. Conclusion • We demonstrate our system with three types of credentials • The system can be extended to support any type of credential that can be monitored for misuse • We discuss how BotSwindler can be deployed to service hosts • include those which are not VM-based, making this approach broadly applicable

  18. Questions

  19. QEMU是一套由Fabrice Bellard]所編寫的模擬處理器的自由軟體。它與Bochs,PearPC近似,但其具有某些後兩者所不具備的特性,如高速度及跨平台的特性。經由kqemu這個開源的加速器,QEMU能模擬至接近真實電腦的速度

More Related