ÁëãïñéèìéêÝò Ôå íéêýò Áíß íåõóçò êáé ÊáôÜôáîçò Êáêüâïõëïõ Ëïãéóìéêïý âáóéóìýíåò óå ÃñáöÞìáôá ÊëÞóåùí ÓõíáñôÞóåùí ÓõóôÞìáôïò - PDF

Description
ÁëãïñéèìéêÝò Ôå íéêýò Áíß íåõóçò êáé ÊáôÜôáîçò Êáêüâïõëïõ Ëïãéóìéêïý âáóéóìýíåò óå ÃñáöÞìáôá ÊëÞóåùí ÓõíáñôÞóåùí ÓõóôÞìáôïò Ç ÌÅÔÁÐÔÕ ÉÁÊÇ ÅÑÃÁÓÉÁ ÅÎÅÉÄÉÊÅÕÓÇÓ õðïâüëëåôáé óôçí ïñéóèåßóá áðü ôçí ÃåíéêÞ

Please download to get full document.

View again

of 91
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information
Category:

Celebrities

Publish on:

Views: 117 | Pages: 91

Extension: PDF | Download: 0

Share
Transcript
ÁëãïñéèìéêÝò Ôå íéêýò Áíß íåõóçò êáé ÊáôÜôáîçò Êáêüâïõëïõ Ëïãéóìéêïý âáóéóìýíåò óå ÃñáöÞìáôá ÊëÞóåùí ÓõíáñôÞóåùí ÓõóôÞìáôïò Ç ÌÅÔÁÐÔÕ ÉÁÊÇ ÅÑÃÁÓÉÁ ÅÎÅÉÄÉÊÅÕÓÇÓ õðïâüëëåôáé óôçí ïñéóèåßóá áðü ôçí ÃåíéêÞ ÓõíÝëåõóç ÅéäéêÞò Óýíèåóçò ôïõ ÔìÞìáôïò Ìç áíéêþí Ç/Õ & ÐëçñïöïñéêÞò ÅîåôáóôéêÞ ÅðéôñïðÞ áðü ôïí ÉùóÞö ÐïëåíÜêç ùò ìýñïò ôùí Õðï ñåþóåùí ãéá ôç ëþøç ôïõ ÌÅÔÁÐÔÕ ÉÁÊÏÕ ÄÉÐËÙÌÁÔÏÓ ÓÔÇÍ ÐËÇÑÏÖÏÑÉÊÇ ÌÅ ÅÎÅÉÄÉÊÅÕÓÇ ÓÔÇÍ ÈÅÙÑÉÁ ÅÐÉÓÔÇÌÇÓ ÕÐÏËÏÃÉÓÔÙÍ ÓÅÐÔÅÌÂÑÉÏÓ 2014 Algorithmic Techniques for Malicious Software Detection and Classication based on System-Call Dependency Graphs MSc Thesis Department of Computer Science and Engineering University of Ioannina GREECE Iosif R. Polenakis September 2014 AöéÝñùóç Ç åñãáóßá áõôþ áöéåñþíåôáé: óôçí ðïëõáãáðçìýíç ïéêïãýíåéü ìïõ, óôïí êáèçãçôþ ìïõ êáé åðéâëýðïíôá ôçò åñãáóßáò Óôáýñï Ä. Íéêïëüðïõëï, êáé óå üëïõò ôïõò óõíáãùíéóôýò óôçí áñýíá ôçò äéáíüçóçò ðïõ ðáñü ôá åìðüäéá êáé ôéò üðïéåò äõóêïëßåò óõíå ßæïõí ðéóôü íá ðáñáìåñßæïõí ôéò åðßãåéåò áðïëáýóåéò ãéá Üñç ôçò óõíå ïýò áíéäéïôåëïýò ðñïóöïñüò óôçí åðéóôþìç êáé ôçí êïéíùíßá. Åõ áñéóôßåò Ðñùôßóôùò èá Þèåëá íá åõ áñéóôþóù ôçí ðïëõáãáðçìýíç ìïõ ïéêïãýíåéá, ç ïðïßá áðü ôá ðñþôá ìïõ âþìáôá áðïôýëåóå åóôßá áíèñùðéóìïý, áñåôþò, ðíåýìáôïò êáé ðáéäåßáò. Åõ áñéóôþ ìýóá áð ôçí êáñäßá ìïõ ôïõò ãïíåßò ìïõ ÑïõóÜããåëï êáé ÊëåïðÜôñá êáèþò êáé ôçí áäåëöþ ìïõ ÅéñÞíç, ãéá ôï öùò ôï ïðïßï ìïõ ìåôáëáìðüäåõóáí êáé ôçí áäéüðáõóôç óõìðáñüóôáóþ ôïõò êáè' üëç ôçò äéüñêåéá ôïõ áãþíá ìïõ. Óôï óçìåßï áõôü, èýëù íá åõ áñéóôþóù éäéáßôåñá äõï Üôïìá óôá ïðïßá áäéáìöéóâþôçôá ïöåßëù ðïëëü, êáé ôá ïðïßá áðïôýëåóáí ôïõò ðñùôåñãüôåò - ôçí ðñþôç ãñáììþ óôïí áãþíá - ãéá ôçí ïéêïäüìçóç ôïõ üôé êé áí åßìáé - ôïõ üôé êé áí ãßíù, ôïí ðáððïý ìïõ Áðüóôïëï êáé ôçí ãéáãéü ìïõ ÅéñÞíç, ðïõ Üíáøáí êáé êñüôçóáí ìý ñé ôï ôýëïò Üóâåóôç ôç öëüãá ãéá âåëôßùóç êáé áêáôüðáõóôç ðñïóðüèåéá åîýøùóçò ôùí çèþí êáé ôïõ ðíåýìáôïò, êáèþò åðßóçò êáé ôïõò åêëåéðüíôåò ÉùóÞö êáé Áíáóôáóßá, ôç óïößá ôùí ïðïßùí ãåýôçêá ìïíü á ãéá ëßãï. Åðéðñüóèåôá, èýëù ìýóá áðï ôçí êáñäéü ìïõ íá åõ áñéóôþóù ôïí ðíåõìáôéêü ìïõ ðáôýñá, Ýíáí áëçèéíü äüóêáëï ìå üëç ôçí âáèýôåñç áîßá êáé ïõóéáóôéêüôåñç óçìáóßá ðïõ êñýâåé áõôþ ç ëýîç, ï ïðïßïò äßäáîå óôïí ìáèçôþ íá ðéóôåýåé óôï üñáìá êáé óôçí éäýá, êáé íá ìü åôáé ìå áõôáðüñíçóç áðïæçôþíôáò ôï âýëôéóôï åíüíôéá óå üóá åìðüäéá êé áí åìöáíéóôïýí, ùñßò ùóôüóï íá ëçóìïíåß ôï áðü ðïõ îåêßíçóå. ÁíáöÝñïìáé öõóéêü óôïí åðéâëýðïíôá ôçò åñãáóßáò áõôþò, ôïí êáèçãçôþ êýñéï Óôáýñï Ä. Íéêïëüðïõëï, ï ïðïßïò ìïõ Ýêáíå ôçí ôéìþ íá ìå åìðéóôåõôåß, óôýêïíôáò áñùãüò óôçí ðåñüôùóç ôçò åñãáóßáò áõôþò. Áêüìç, èá Þèåëá íá åõ áñéóôþóù ôïí áíáðëçñùôþ êáèçãçôþ êýñéï Ëåùíßäá Ðáëçü êáé ôïí åðßêïõñï êáèçãçôþ êýñéï ËïõêÜ ÃåùñãéÜäç ãéá ôçí óõììåôï Þ ôïõ óôçí ôñéìåëþ åðéôñïðþ êáèþò åðßóçò êáé ãéá ôéò ðïëýôéìåò êáé åýóôï åò ðáñáôçñþóåéò ôïõò ðïõ óõíýâáëáí óôçí âåëôßùóç ôçò åñãáóßáò áõôþò. ÔÝëïò, áéóèüíïìáé ôçí áíüãêç íá åõ áñéóôþóù üëïõò ôïõò ößëïõò êáé óõìöïéôçôýò ãéá ôçí ðïëýôéìç óõìðáñüóôáóþ ôïõò óå üëåò ôéò óôéãìýò ðïõ ðåñüóáìå ìáæß, ìå ôïõò êáñðïýò ôïõ Nikote êáé ôïõ Runge áíü åßñáò, áôåíßæïíôáò ìå èüññïò êáé åëðßäá ôï áâýâáéï ìýëëïí, óôï ìðáëêüíé ôïõ ôñßôïõ ïñüöïõ, êáèþò åðßóçò êáé ôçí A. ôçò ïðïßáò ç åêïýóéá áðïõóßá ìå Ýêáíå ðéï äõíáôü. Åõ áñéóôþ ôï Èåü, ðïõ Ýöåñå óôï äñüìï ìïõ ôïõò ðáñáðüíù áíèñþðïõò, íá ðñïóöýñïõí ôï öþò êáé íá áðïôåëïýí Ýìðíåõóç ãéá üóïõò Ý ïõí ôçí ôý ç íá óôáèïýí äßðëá ôïõò. Table of Contents List of Figuresiv List of Tablesv 1 Introduction What is Malicious Software Basic Malware Types Miscellaneous Malware Types Defence Against Malicious Software Malware Analysis Malware Detection Malware Classication Malware Mutations and Detection Avoidance Code Obfuscation Techniques and Malware Evolution Metamorphic Malware: A Major Threat Realted Work Graph-Based Malware Detection Graph-Based Malware Classication Contribution Motivation Proposed Solution Structure of the Thesis Malware Analysis Static Malware Analysis Static Analysis Techniques Static Analysis Tools Dynamic Malware Analysis Dynamic Analysis Techniques Dynamic Analysis Tools Malware Detection Concept and Implementation Malware Detection Malware Detector Design Categorizing Detection Methods i 3.2.1 Signature Based Detection Methods Behavior Based Detection Methods Graph-Based Detection Methods Malware Detection using Control Flow Graphs Malware Detection using Function Call Graphs Malware Detection using System-Call Dependency Graphs Malware Classification Philogeny Software Similarity Classication of Malware into Families Graph-Based Classication Methods Malware Classication using Function Call Graphs Malware Classication using System-Call Dependency Graphs Our Model Graph Representation of Malicious Software System-Call Dependency Graph Construction G an Auxiliary Hyper-Abstraction of SCDG Graph Similarity Graph Representation Malware Families and Sample Structure Graph Similarity Metrics Graph Based Malicious Software Detection Detection Based on Family Qualitative Characteristics Malware Detection Formula Components Malware Detection using NP-Similarity Graph Based Malicious Software Classication Malware Classication Filters Malware Classication using Mutliple Filters Other Approaches for Detection And Classication Failed Malware Detection Methods Failed Malware Classication Methods Results Data Set Experimental Design Result Comparison Detection and Classication Results Detection Rate Comparison Classication Rate Comparison Advantages and Limitations ii 7 Conclusions and Future Work Conclusions Future Work iii List of Figures 1.1 Interdependence of Analysis, Detection and Classication Signature-Based Detection Avoidance using Encryption Dynamic Taint Analysis Procedure Malware Detection Malware Analysis Malware Detection Virus Chernobyl/CIH body and corresponding IA-32 instructions [15] Visualization of Behavior-based Detection Control Flow Graph Representation [9] String signature derived by CFG [11] Function Call Graph (local and external functions) [33] Behavior Graph from malware NetSky [35] Dendrogram Representing Phylogeny Between Individual Specimens [61] Clustering of Malware Samples according to NCD[4] System Call Dependecy Graph Simplied System Call Dependecy Graph Hyper-Ábstraction G Adjacency Matrix from G Organization of samples into malware families represented by G sets Zone Adjacency Matrix Construction Accumulative Adjacency Matrix Construction Kernel Similarity Visualization Cover Similarity Visualization Visualization of Malware Classication using Multiple Filters Malware Families Connected by Name Commonalities iv List of Tables 4.1 Spare Malware Samples [4] NCD Computation of Malware Samples [4] System Call Traces System Call Dependencies System Call Groups Malware Families Classication: Matching Process and Results Accuracy Malware Detection and Classication Results Malware Detection Results Comparison Malware Classication Results Comparison v Abstract Author: Joseph R. Polenakis, BSc, Dept. of Computer Science and Engineering, University of Ioannina September 2014, Thesis Title: Algorithmic Techniques for Malicious Software Detection and Classication based on System Call Graphs Supervisor: Stavros D. Nikolopoulos, Professor, Dept. of Computer Science and Engineering, University of Ioannina One of the most dangerous and detrimental threats in computer security is the malicious software, the so called malware. Malware is a type of software indicated to serve a malicious purpose in some fashion, consisting a major threat for systems' security by compromising the integrity, condentiality and availability so for the systems as whole as for the data stored into them. Thus, in order to protect our systems from such a threat, prevention and detection against malware consists a simplex. The most stable, eective and also ecient method to protect our systems against malware threats is the installation of end-point detection systems, the so called antivirus. In order to achieve real-time protection AVs use a quite naive approach to identify malware leveraging pattern matching and utilizing a set of byte-level string signatures, expressing an adequate real-time protection. However, because this method is based on static data, the credibility of its results can be compromised during the appearance of a mutated or even more in case of a totally brand-new malware. Since we are not able to predict any brand-new malware our main target is the armoring against any mutated malware. In this thesis we present an algorithmic technique in the area of dynamic malware analysis, in order to detect if a given specimen is a malware and afterwards to classify it into one of a set of known malware families. Specically, we propose an elaborated algorithmic technique for malware detection and classication utilizing the System-Call Dependency Graphs (SCDG) obtained by capturing traces through tainted analysis and a set of similarity metrics methods in order to detect and classify a given specimen. More precisely, in order to achieve higher generalizability and thus higher exibility we have made a transformation using the initial SCDG, by creating a hyper-abstraction of it, where its vertices are consisted by groups of system-calls with similar functionality. After this transformation, we proceed to the detection phase, where we have developed a formula vi that combines so the examination of qualitative, as that quantitative and existential characteristics, that are spread among the members of a known malware family. Next, in the classication phase we leverage so the aforementioned characteristics utilized by various similarity metrics as the correlations between the Maximum Strongly Connected Component (MSCC) of the test sample's SCDG and each Strongly Connected Component (SCC) in each malware family member' s SCDG. Finally, we cite the results produced from experiments when applying our model on a dataset of 2631 malware samples from 48 malware families and 33 commodity benign programs when performing 5-fold cross validation achieving a % detection rate with 10% false-positives where our classication accuracy reaches the %, and then evaluate our model comparing the results against those produced by other approaches. vii ÅêôåôáìÝíç Ðåñßëçøç óôá ÅëëçíéêÜ Ìéá áðü ôéò áðåéëýò ìå ôïí ìåãáëýôåñï âáèìü åðéêéíäõíüôçôáò óôïí ôïìýáò ôçò áóöüëåéáò õðïëïãéóôéêþí óõóôçìüôùí åßíáé ôï êáêüâïõëï ëïãéóìéêü (malicious software), ôï áðïêáëïýìåíï malware. To êáêüâïõëï ëïãéóìéêü åßíáé Ýíá åßäïò ëïãéóìéêïý ôï ïðïßï åîõðçñåôåß Ýíáí êáêüâïõëï óêïðü, áðïôåëþíôáò ìåßæïíá áðåéëþ ãéá ôçí áêåñáéüôçôá, ôç äéáèåóéìüôçôá êáé ôçí åìðéóôåõôéêüôçôá ôùí óõóôçìüôùí üóï êáé ôùí äåäïìýíùí ðïõ âñßóêïíôáé ìýóá óå áõôü. Ùò åê ôïýôïõ, ãéá íá ðñïóôáôåõèïýí ôá óõóôþìáôá, êáé êáô' åðýêôáóç ôá äåäïìýíá ðïõ âñßóêïíôáé óå áõôü, ç ðñüëçøç êáé ç áíôéìåôþðéóç (áíß íåõóç) óõãêñïôïýí ôç äåóðüæïõóá ôáêôéêþ. Ç ðéï áîéüðéóôç êáé áðïäïôéêþ ìýèïäïò ãéá íá åðéôåõ èåß êüôé ôýôïéï, åßíáé ç åãêáôüóôáóç óõóôçìüôùí áíß íåõóçò óå üóï äõíáôüí ðåñéóó-üôåñá óçìåßá ôïõ åêüóôïôå óõóôþìáôïò, ôá áðïêáëïýìåíá áíôé-ééêü (Anti-Virus). Ôá óõóôþìáôá áõôü ôá ïðïßá åßíáé õðåýèõíá ãéá ôçí áíß íåõóç êáêüâïõëïõ ëïãéóìéêïý ñçóéìïðïéïýí Üìåóåò ìåèüäïõò áíß íåõóçò, üðùò ãéá ðáñüäåéãìá ôï ôáßñéáóìá êüðïéùí ìïôßâùí (pattern matching) âáóéóìýíùí óå õðïãñáöýò ãñáììáôïóåéñþí, åðéôõã Üíïíôáò Ýôóé éêáíïðïéçôéêü ðïóïóôü áíß íåõóçò ôýôïéùí áðåéëþí óå ðñáãìáôéêü ñüíï. Ùóôüóï, ç éêáíüôçôü ôïõò áõôþ, ëüãù ôçò óôáôéêüôçôáò ôùí äåäïìýíùí ôá ïðïßá áîéïðïéåß, äýíáôáé íá åëá éóôïðïéçèåß üôáí ç åí ëüãù áðåéëþ áðïôåëåßôáé åßôå áðü Ýíá ìåôáëëáãìýíï åßôå áðü Ýíá åíôåëþò íýï êáêüâïõëï ëïãéóìéêü. ÊáôÜ óõíýðåéá, äåäïìýíïõ üôé äåí åßíáé äõíáôüí íá ðñïâëýøïõìå ôç äçìéïõñãßá ïðïéïõäþðïôå íýïõ êáêüâïõ- ëïõ ëïãéóìéêïý, ï âáóéêüò ìáò óôü ïò åßíáé íá áíáðôýîïõìå ìç áíéóìïýò ïé ïðïßïé íá åßíáé éêáíïß íá ðáñý ïõí ðñïóôáóßá åíüíôéá óå âåëôéùìýíåò ìïñöýò ôçò áðåéëþò áõôþò, üðùò ãéá ðáñüäåéãìá ôï ìåôáëëáãìýíï êáêüâïõëï ëïãéóìéêü. Óôçí åñãáóßá áõôþ ðñïôåßíïõìå, õëïðïéïýìå êáé ðáñïõóéüæïõìå, ìéá áëãïñéèìéêþ ìýèïäï óôïí ôïìýá ôçò äõíáìéêþò áíüëõóçò êáêüâïõëïõ ëïãéóìéêïý ç ïðïßá Ý åé ôçí éêáíüôçôá, äïèýíôïò åíüò áãíþóôïõ ëïãéóìéêïý íá áíé íåýåé áí åßíáé êáêüâïõëï Þ ü é, êáé åí óõíå åßá íá ôï ôáîéíïìåß óå áðïêëåéóôéêü ìéá áðü Ýíá óýíïëï ãíùóôþí ïéêïãåíåéþí êáêüâïõëùí ëïãéóìéêþí. ÓõãêåêñéìÝíá, ðñïôåßíïõìå ìéá áëãïñéèìéêþ ôå íéêþ ãéá ôçí áíáãíþñéóç êáé ôáîéíüìçóç êáêüâïõëùí ëïãéóìéêþí âáóéóìýíç óå ãñáöþìáôá êëþóåùí óõíáñôþóåùí óõóôþìáôïò (System-Call Dependency Graphs) ôá ïðïßá äçìéïõñãþèçêáí áîéïðïéþíôáò äåäïìýíá ôá ïðïßá êáôáãñüöçêáí êáôü ôçí åêôýëåóç ôùí êáêüâïõëùí ëïãéóìéêþí ìýóù ìéáò äéáäéêáóßáò ðïõ ïíïìüæåôáé åêôåôáìýíç áíüëõóç (taint analysis). Ðéï óõãêåêñéìýíá, ðñïêåéìýíïõ íá åðéôý ïõìå ìåãáëýôåñç éêáíüôçôá ãåíßêåõóçò åíüíôéá óå éó õñýò ìåôáëëüîåéò äçìéïõñãïýìå Ýíá õðýñ-ãñüöçìá ôï ïðïßï äñá ùò õðýñ-ãåíßêåõóç ôïõ ãñáöþìáôïò êëþóåùí óõíáñôþóåùí óõóôþìáôïò üðïõ Ý ïõìå áíôéêáôáóôþóåé êüèå viii êüìâï ôïõ (óõíüñôçóç óõóôþìáôïò) ìå ôçí ïìüäá óôçí ïðïßá áíþêåé áõôþ ç óõíüñôçóç óõóôþìáôïò êáé ç ïðïßá óõìðåñéëáìâüíåé êáé Üëëåò óõíáñôþóåéò óõóôþìáôïò ìå üìïéá ëåéôïõñãéêüôçôá. Åí óõíå åßá, ãéá ôçí áíáãíþñéóç ôïõ êáêüâïõëïõ ëïãéóìéêïý ðñïôåßíïõìå ìéá ìýèïäï ç ïðïßá óôçñßæåôáé óå ìéá óõó Ýôéóç ðïõ óõíäõüæåé ôçí áîéïðïßçóç ôùí ðïéïôéêþí, ðïóïôéêþí êáé õðáñîéáêþí (áíáöïñéêü ìå ôéò áêìýò) áñáêôçñéóôéêþí ðïõ õðüñ ïõí óôá ãñáöþìáôá êëþóåùí óõíáñôþóåùí óõóôþìáôïò ôùí ìåëþí ìéáò ïéêïãýíåéáò êáêüâïõëùí ëïãéóìéêþí ìýóù äéáöïñåôéêþí ìåôñéêþí ïìïéüôçôáò. ÔÝëïò, ãéá ôçí êáôüôáîç åíüò êáêüâïõëïõ ëïãéóìéêïý óå ìßá ïéêïãýíåéá êáêüâïõëùí ëïãéóìéêþí, áîéïðïéïýìå îáíü ôá ðñïáíáöåñèýíôá áñáêôçñéóôéêü ìýóù ìåôñéêþí ïìïéüôçôáò êáé åðéðñüóèåôá åêìåôáëëåõüìáóôå ôçí óõó Ýôéóç óå åðßðåäï Éó õñü Óõíåêôéêþí Óõíéóôùóþí ðïõ ðáñáôçñåßôáé áíüìåóá óôï ãñüãçìá ôïõ áãíùóôïõ äåßãìáôïò êáé ôï ãñüöçìá åíüò ìýëïõò ìéáò ïéêïãýíåéáò êáêüâïõëùí ëïãéóìéêþí. Åðéðñüóèåôá, ðáñáèýôïõìå ôá áðïôåëýóìáôá ðïõ åîþ èçóáí ìýóù áðïôßìçóçò äéáóôáõñùìýíçò óå ðýíôå ôìþìáôá (5-fold cross validation) åöáñìüæïíôáò ôï ìïíôýëï ìáò óå 2631 êáêüâïõëá ëïãéóìéêü áðü 48 ïéêïãýíåéåò êáêüâïõëùí ëïãéóìéêþí êáé 33 ìç-êáêüâïõëá ëïãéóìéêü, åðéôõã Üíïíôáò % ðïóïóôü áíáãíþñéóçò ìå 10 % åóöáëìýíåò áíé íåýóåéò (false-positives) åíþ ôï ðïóïóôü ïñèþò
Related Search
Similar documents
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks