1 / 26

NetSpy: Automatic Generation of Spyware Signatures for NIDS

NetSpy: Automatic Generation of Spyware Signatures for NIDS. Hao Wang , Somesh Jha and Vinod Ganapathy {hbwang, jha, vg}@cs.wisc.edu University of Wisconsin-Madison . spyware server. What is Spyware?. User is visiting www.google.com. NIDS. spyware server. Stopping Spyware. . NIDS.

terris
Download Presentation

NetSpy: Automatic Generation of Spyware Signatures for NIDS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NetSpy: Automatic Generation of Spyware Signatures for NIDS Hao Wang, Somesh Jha and Vinod Ganapathy {hbwang, jha, vg}@cs.wisc.edu University of Wisconsin-Madison

  2. spyware server What is Spyware? User is visiting www.google.com

  3. NIDS spyware server Stopping Spyware 

  4. NIDS spyware server Problem: Signature Updates • Reliance on vendors to provide timely signature updates • Cannot detect new spyware or variants of existing spyware

  5. NIDS spyware server NetSpy Overview Visit www.google.com  GET /data/...theurl=www.google.com GET / GET /intl/en/images/log.gif

  6. Detecting and Stopping Spyware Defense Perimeter Detection Mechanism Signature-based Behavior-based Host- based Most commercial solutions A few commercial solutions Network-based NetSpy (Signature Generation) NetSpy (Differential Analysis)

  7. Outline • Motivation • NetSpy architecture • Inducing spyware activity • Differential analysis • Signature generation • Evaluation

  8. NetSpy: Automatic Spyware Signature Generation • Identify new spyware • Detect spyware that operates as plugins to web browser • Generate NIDS signature for detected spyware • Without relying on vendors to provide updates

  9. Key Observations • Spyware is programmed to monitor certain user activities • Spyware must send monitored data to its home server When? • To maximize opportunity for profit, many spyware programs send back data immediately

  10. NetSpy Architecture Network packets User inputs System User Activity Injector Differential Analysis Malicious substrate Network packets NIDS Signature Signature Generation

  11. Inducing Spyware Activity • An automatic web browser driver • Inject synthetic user activities into a web browser • http://www.google.com/search?hl=en&q=ps3&btnG=... • http://www.apple.com/itunes/ • … • Trigger spyware that is programmed to monitor the injected activities • Induce spyware into sending data to its home server

  12. Challenge • Some spyware only monitor certain events • e.g., when a user entered a wrong URL • e.g., when a user accesses a banking web site • A difficult problem in itself • We rely on some heuristics about spyware’s behavior • e.g., include invalid URLs in the input

  13. NetSpy Architecture Network packets User inputs System User Activity Injector Differential Analysis Malicious substrate Network packets NIDS Signature Signature Generation

  14. Differential Analysis • Goal: identify network packets sent by an untrusted program • Idea: compare network traffic from a clean system and from an infected system

  15. On a system infected with BrowserAccelerator, IE generated seven packets: Differential Analysis Contain input www.google.com Unseen Hosts

  16. Classifying Spyware

  17. NetSpy Architecture Network packets User inputs System User Activity Injector Differential Analysis Malicious substrate Network packets NIDS Signature Signature Generation

  18. Signature Generation for NIDS • Why? • To protect other computers on the same network • Once NetSpy identifies a new spyware on one computer, all other systems automatically gain protection • Currently generate signatures for Snort

  19. Signature Requirements Only works when a user visits Google! • Not a good signature:GET /data/...theurl=www.google.com • Signature needs to be generic • Solution: Repeat differential analysis on multiple inputs

  20. Generating Signatures • Inputs: a set of network packets • Goal: identify the invariants among these packets

  21. Longest Common Subsequence • Handle multiple strings • Convert the variants into a regular expression Input URL Packet www.google.com www.google.com GET /data/...theurl= www.apple.com GET /data/...theurl= www.apple.com www.slashdot.org GET /data/...theurl= www.slashdot.com … … Signature: GET /data/…theurl= .*

  22. Evaluation

  23. A9 Toolbar • Advertised feature: store a user’s browsing history in a central server • A user first signs on with A9.com • A9 Toolbar sends every URL visited back to a server called client.a9.com • The user can access the history from any where • Unadvertised feature: • A9 Toolbar also sends URLs to another server: siteinfo.a9.com • Regardless of whether the user has signed on or not

  24. AOL Toolbar • Hijacks Internet Explorer’s error page • Send URL entered by a user to multiple servers • Download and display advertisements related to the URL • Monitors all queries involving google.com • Transmitting data using a SSL connection to a server:snsproxy-vd01.evip.aol.com • This behavior only occurs in version 3.0.82 • The latest version 4.0 does not

  25. Limitations • Currently only works with browser plugins • Assumes that spyware behaves in certain ways: • Monitors a user’s activity and immediately sends out data to its home server • Cannot detect timer-based spyware • Does not encode data to be transmitted

  26. Conclusion • NetSpy: a system that can • Detect new spyware by inducing its spying activity • Automatically generate NIDS signatures for spyware

More Related