1 / 16

SpyProxy : Execution-based Detection of Malicious Web Content

SpyProxy : Execution-based Detection of Malicious Web Content. 1 Intro. C an execution-based analysis successfully detect today’s malware threats? C an the analysis be performed without harming browser responsiveness?

nerice
Download Presentation

SpyProxy : Execution-based Detection of Malicious Web Content

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SpyProxy: Execution-based Detection of Malicious Web Content

  2. 1 Intro • Can execution-based analysis successfully detect today’s malware threats? • Can the analysis be performed without harming browser responsiveness? • What are the limitations of this approach, in particular in the face of complex, adversarial scripts that contain non-determinism?

  3. 2 Architecture and Implementation • Defending Against Modern Web Threats • Design Goals • Proxy-based Architecture • Static Analysis • Any pages with active content must be analyzed dynamically • Execution-based Analysis through VM-based Page Rendering

  4. 2.4 Limitations • Non-determinism • client-side non-determinism • the VM worker will see a benign ad while the client will see a malicious ad. • Termination • Differences Between the Proxy and Client

  5. 3Performance Optimizations • Caching the Result of Page Checks • Squid Proxy • Identify each Object • Prefetching Content to the Client • The Staged Release of Content

  6. 3.4Additional optimizations • keep a browser process already running inside • Avoid set-up time • virtual disk backing the VM worker is stored in a RAM-disk file system in the host OS • Eliminating the disk traffic associated with storing cookies or files in the VM browser. • we re-use VM workers across requests, garbage collecting them only after a trigger fires or a configurable number of requests has occurred. • 50 requests • How to collect the garbage? Which issues will be regarded as garbage?

  7. 4 Evaluation • 3 key questions • how effective is our system at detecting and blocking malicious Web content • how well do our performance optimizations mask latency from the user • how well does our system perform given a realistic workload

  8. 4.1 Effectiveness at Blocking Malicious Code • Base: a list of 100 malicious Web pages on 45 distinct sites. • Result: 100% of the malicious Web pages is blocked • Question: False Positive?没有检测

  9. 4.2 Performance of the Unoptimized System • Timeline : the latency of each step from the client’s Web page request to the final page rendering in the client.

  10. 4.3 Performance Optimizations

  11. 4.4 Performance on a Realistic Workload • Base: 1909 requests generated by 703 different safe URLs from 124 different sites. Selecting a range of popular and unpopular sites ranked by the Alexa ranking service. • very few false positives: only 4 of the 1,909 • However, we do “reduce”the number of false positives by including the most common browser plug-ins, such as Flash, in the base VM image. • Average: 600ms

  12. 4.5 Scalability • Assumption: the CPU is likely to be the bottleneck of a deployed system • the system must be configured with an adequate amount of memory and network bandwidth to support the required concurrent virtual machines and Web traffic. • a single-CPU SpyProxy could support approximately 822 users. • A single quad-core machine should be able to handle the load from an organization containing a few thousand people.

  13. 5 Related Work • 5.1 Spyware and Malware Detection • Passive network monitor to measure adware on the campus of University of Washington • Crawling to find and analyze executable programs and Web pages that lead to spyware infections • Strider HoneyMonkey and SiteAdvisor • Not transparent rather than a measurement tool • Gatekeeper • only look for malware that is already installed

  14. 5.1Spyware and Malware Detection • Semantics-aware malware detection & automatic generation of signatures for detection of unknown malware variants • Not prevention • Prevx1 and Primary Response SafeConnect • must run on systems packed with client-installed programs • VM isolation, OS-level sandboxing, or logging/ rollback • Other challenges: data sharing and client-side performance overhead

  15. 5.2Intrusion Detection and Firewalls • Intrusion detection systems (e.g., Bro and Snort) • cannot detect new or otherwise undiscovered attacks. • attacks are detected but not prevented • Shadow honeypots • route risky network traffic to a heavily instrumented version of a vulnerable application • SpyProxy does not need to instrument the Web browser that it guards, and its run-time checks are more general and easier to define

  16. 5.3 Proxies • SpyProxy uses execution-based analysis to identify malicious content

More Related