中央研究院 資訊科學研究所

活動訊息

友善列印

列印可使用瀏覽器提供的(Ctrl+P)功能

Multifaceted Malware Behavior Profiling and Analysis

:::

Multifaceted Malware Behavior Profiling and Analysis

  • 講者蕭舜文 博士 (中研院資訊所)
    邀請人:李德財
  • 時間2016-05-30 (Mon.) 10:30 ~ 12:00
  • 地點資訊所新館106演講廳
摘要

There is a paradox of security that we are eager to understand attacks; however we often fail to comprehend them. A security professional needs to answer certain essential and critical questions, such as “how was the malware planted into the infected host?”, “did it access any important or private data?”, “did it change any system configuration?”, and “is this malware similar to any known malware?”, in order to appraise possible incurred damages and curate a solution to mitigate or neutralize the malware. However, it is not trivial to answer the questions because security is difficult to learn, practice and concretize.

We develop a framework of malware behavior profiling and analysis, which is proposed to assist a security professional to monitor and audit a variety of security subjects from different aspects, e.g., network packet inspection, communication state tracking, attack symptom detection, and malicious process examination, in order to assure the integrity of network or system is not violated. The developed profiling techniques includes: Stateful Deep Packet Inspection (for reconstruct the messages exchanged between attacker and victim), Multi-layered Attack Symptom (for identifying pre-attack activities in network protocol execution), Virtual Machine Introspection for Windows API (for examining Windows APIs executed by malware in a virtual machine), etc. These developed profilers are embedded in the network routers and virtual machine monitors to keep tracking the malware behavior without been discovered by the attacker.

In our experiments, thousands malware binaries (in Windows and Android platform) are profiled. The generated profiles are analyzed with different algorithms form bioinformatics and data mining (e.g., similarity analysis, sequence analysis, behavior pattern extraction, FSM-based attack model construction, phylogenetic tree and malware classification) to give us a more concrete view to examine the malware. With these malware profiles, we further develop a network-based early intrusion detection system, a runtime execution inspection system in Cloud environment, a real-time continuous security protection system, a malware family classification system.

These profiles and the systems could help a security professional to answer the most critical and essential questions: "what is an attack and how can I deal with it?"