Using Engine Signature to Detect Metamorphic Malware - PowerPoint PPT Presentation

Loading...

PPT – Using Engine Signature to Detect Metamorphic Malware PowerPoint presentation | free to download - id: 704b65-NGJiO



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Using Engine Signature to Detect Metamorphic Malware

Description:

Using Engine Signature to Detect Metamorphic Malware Mohamed R. Chouchane and Arun Lakhotia Software Research Laboratory The University of Louisiana at Lafayette – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 13
Provided by: Moha254
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Using Engine Signature to Detect Metamorphic Malware


1
Using Engine Signature to Detect Metamorphic
Malware
  • Mohamed R. Chouchane and Arun Lakhotia
  • Software Research Laboratory
  • The University of Louisiana at Lafayette
  • Fourth Workshop on Rapid Malcode (WORM)
  • November 3rd, 2006
  • George Mason University, Fairfax, VA, USA

2
Metamorphic Malware
Virus
Virus
Virus
M
M
Form - A
Form - B
Form - C
  • Metamorphic malware changes as it propagates
  • It creates multiple variants of itself

3
Metamorphic Malware Challenge
Virus
Virus
Virus
M
M
Form - A
Form - B
Form - C
Antivirus scanners using extracted byte
sequences, or signatures to identify known
malware.
Using different signatures for most variants
cannot scale.
Signature
Too many signatures challenge the AV Scanner
4
Engine Signature Track Variants to their Engine
feedback
release
variant
E-friendly malware
Engine
  • One Engine ? Source of Variation
  • Engine-friendly code is Code written for the
    engine
  • Idea Engine Signature vs. Virus Signature
  • Lightens burden of one signature per variant
  • Analogous to determining likelihood of engine
    authorship

5
Engine-Friendliness
Low E-friendliness
Input Variants
10 friendly
20 friendly
90 friendly
100 friendly
Metamorphic Engine
Instruction Substitution Garbage Insertion
Output Variants
6
Code Substitution Evol
  • mov esi4, 9 ? mov esi4, 6
  • add esi4, 3
  • mov ebp8, ecx ? push eax
  • mov eax, ecx
  • mov ebp8, eax
  • pop eax
  • push 4 ? mov eax, 4
  • push eax
  • push eax ? push eax
  • mov eax, 2Bh

Clues
7
Scoring Function
Code Segment
Clue Count per Site
  • SE(V)?c?s wc ecs / V
  • SE(V) measures how dense a code segment V is with
    clues from some code-substituting engine E.
  • Clues are weighted according to their length.
  • Can explore other weight assignments

SE 25/15 1.667
8
Evaluation Non-Evol Segments
Frequency distributions of the scores of 2nd to
7th generation with initial E-friendliness
5(figure at left) and 50 (figure at right)
  • The E-friendlier the Eve, the higher the
    score
  • Later variants tend to score higher
  • Convergence behavior

9
Evaluation Simulated Evol Segments
  • Certain range of values
  • Gaussian Like
  • 2nd, 3rd, and 4th gen variants scored 1.62,
    1.95, and 2.13, respectively

Frequency distributions of the scores of 2nd to
4th generations (left to right) of simulated Evol
variants
10
Discussion
  • Limitations
  • Small clues ? Less transformation options
  • Low friendliness ? Malware open to traditional
    signature scanning
  • More analysis may be needed
  • Improvement and Further work
  • Investigate other weight assignments
  • Investigate engines which expand and shrink code
  • Functional relationship among parameters
  • Use engine signature to determine toolkit
    authorship

11
Software Research Lab Center for Advanced
Computer Studies University of Louisiana at
Lafayette Arun Lakhotia Director Andrew
Walenstein Research Scientist Michael
Venable Software Engineer and Alumnus Ph.D.
Students Mohamed R. Chouchane Md Enamul Karim
M.S. Students Matthew Hayes Christopher
Thompson
  • Alumni
  • Nitin Jyoti, Avertlabs
  • Aditya Kapoor, McAfee
  • Erik Uday Kumar, Authentium
  • Rachit Mathur,
  • McAfee
  • Moinuddin Mohammed, Microsoft
  • Prashant Pathak, Symantec
  • Prabhat Singh, Symantec Funded by Louisiana
    Governors IT Initiative

12
more at www.cacs.louisiana.edu/labs/SRL
Using Engine Signature to Detect Metamorphic
Malware Mohamed R. Chouchane and Arun
Lakhotia Software Research Laboratory The
University of Louisiana at Lafayette mohamed,aru
n_at_louisiana.edu
About PowerShow.com