Malicious Behavior Detection Method Using API Sequence in ...
CyberProbe: Towards Internet-Scale Active Detection of Malicious Server
-
Upload
centro-de-investigacion-para-la-gestion-tecnologica-del-riesgo-cigtr -
Category
Technology
-
view
261 -
download
0
description
Transcript of CyberProbe: Towards Internet-Scale Active Detection of Malicious Server
![Page 1: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/1.jpg)
CyberProbe: Towards Internet-Scale Active
Detection of Malicious Servers
Antonio Nappa, M. Zubair Rafique, Juan Caballero
Zhaoyan Xu, Guofei Gu
![Page 2: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/2.jpg)
Research Interests
Malware
Analysis & Defense
Software Security
Vulnerabilities &
Exploits
Network Security
IDS
Forensics
Memory
Program Binary
Analysis
![Page 3: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/3.jpg)
Cyberattacks
Cybercriminals Hacktivists Governments
![Page 4: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/4.jpg)
Cybercrime & Targeted Attacks
![Page 5: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/5.jpg)
Malicious Servers
• Malicious Server Types
– Exploit servers Malware distribution
– C&C servers Control malware
– Payment servers Monetization
– Redirectors Anonymity
– …
• Some operations use P2P – Server-like functionality
![Page 6: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/6.jpg)
Operations & Server Types
Can we find the servers of an operation?
How many servers in each operation?
Where are the servers hosted?
![Page 7: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/7.jpg)
Malicious Servers in the Cloud
• Malicious servers moving to the Cloud
– 60% of Exploit Servers [Nappa13]
• VPS hosting predominantly abused
• Replace dead servers with new ones
• Servers don’t live forever
– Exploit server median lifetime = 16 hours
• Many servers needed!
![Page 8: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/8.jpg)
Dynamic Server Infrastructures
![Page 9: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/9.jpg)
• Honeypots
• Spamtraps
• IDS
• Limitations
– Limited View
– Slow
Server Detection Techniques
• Run malware samples
• Honeyclient farms
– Google Safebrowsing
– Microsoft Forefront
• Limitations
– Limited view
– Specific to one server type
– Expensive
Passive Active
![Page 10: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/10.jpg)
Active Probing
![Page 11: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/11.jpg)
• General
– Any server type and P2P bots
• Scalable Internet-scale
• Fast Internet in a few hours
• Easy to deploy
• Cheap
Active Probing: Benefits
![Page 12: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/12.jpg)
• Active probing approach for detecting
malicious servers
• Adversarial fingerprint generation technique
• Implement approach into CyberProbe
• Use CyberProbe to find malicious servers
– 151 servers in 24 localized/Internet-wide scans
– 75% servers unknown to public databases
– 7000+ P2P supernodes
• Identifies provider locality property
Contributions
![Page 13: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/13.jpg)
Outline
Evaluation
Intro
Approach
Adversarial Fingerprint Generation
Scanning
![Page 14: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/14.jpg)
CyberProbe in a nutshell
Adversarial
Fingerprint
Generation
Malicious Traffic
Benign Traffic
Fingerprints
Seed Servers
Scanning
Port
Target Ranges Malicious Servers
Fingerprint
# Malicious Servers Detected
> # Seed Servers
![Page 15: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/15.jpg)
• Fingerprint server family – Operation + server type
– Possibly multiple fingerprints for same server family
• A fingerprint comprises: – A probe construction function
– A classification function = Snort signature
Fingerprints
Clickpayz1
Probe: GET /td?aid=e9xmkgg5h6&said=26427
Signature:
content: “302”; http_stat_code;
content: “\r\n\r\nLoading…”
![Page 16: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/16.jpg)
Adversarial Fingerprint Generation
• Fingerprint generation requires interacting
with remote seed servers
– Collect requests and responses
• Remote servers controlled by attacker
• Make fingerprinting inconspicuous
– Minimize traffic
– Use inconspicuous probes
Replay traffic!
![Page 17: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/17.jpg)
AFG: Architecture
REPLAY CLUSTERING RRP
EXTRACTION
F
P
SIGNATURE
GENERATION
Benign Traffic
Seed Servers
F
P
F
P
F
P
Fingerprints
Malicious Traffic
![Page 18: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/18.jpg)
AFG: Malicious Traffic
RRP
EXTRACTION FP FP RRPs
![Page 19: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/19.jpg)
• Replay requests to servers in traces
– VPN: anonymity, IP diversity
• Remove benign responses
– Errors, no response
– Check against random resource
AFG: Replay
GET /td?aid=e9xmkgg5h6&said=26427
GET /asdfg.html
Similar?
200 OK
200 OK
evil.com
78.1.2.3
Replayer Sinkholed
Parked
![Page 20: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/20.jpg)
• Cluster RRPs by request similarity
– HTTP: method, path, parameters
– Non-HTTP: packet size, content
• Probe construction function
– Identify TARGET, SET fields
AFG: Clustering
CLUSTERING
F
P F
P
Replayed
RRPs
RRP Clusters
F
P Probe construction
function
![Page 21: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/21.jpg)
• Response parts unique to
malicious traffic
• Token-set signatures
– Snort, Suricata
• Tokenizes fields
– If known protocol
• Multiple sig. per cluster
AFG: Signature Generation
F
P
SIGNATURE
GENERATION
Benign Traffic
F
P
Signatures Clusters
![Page 22: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/22.jpg)
Outline
Evaluation
Intro
Approach
Adversarial Fingerprint Generation
Scanning
![Page 23: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/23.jpg)
• Localized scans
– Some ranges more likely due to locality
1. Localized-reduced
– BGP Route for Seed Server
2. Localized-extended
– All ranges with same description
3. Internet-wide
– Use BGP ranges
Scan Ranges
Google.com
173.194.41.231
173.194.0.0/16
Google Inc.
FP
FP
Google Inc.
173.194.0.0/16
8.8.8.0/24
8.8.4.0/24
8.6.48.0/21
8.35.200.0/21
…
Full Unreserved Allocated BGP
4.3B (100%) 3.7 B (86%) 3.7 B (86%) 2.6 B (60%)
![Page 24: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/24.jpg)
• Horizontal Scanner
– SYN scan Live servers on port
• AppTCP scanner
– Probes live servers with fingerprint
• UDP scanner
– Does not require horizontal scan
Scanners
![Page 25: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/25.jpg)
• Scan rate
– One scanner saturates 1-10 Gbps link Distribute
– Limited to ≤ 60,000 pps; ≤ 400 cps
• Scan order
– LCG for horizontal/UDP, shuffle for AppTCP
• Whitelisting
– 512 MB bit array, O(1) lookup
• Output
– Pcap / result for AppTCP/UDP
– IP list for horizontal
Scanning Properties
![Page 26: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/26.jpg)
Ethical Considerations
• Scan as politely as possible
• Rate-limit scanners
• One fingerprint at a time
• Set up forward, backward DNS entries for scanners
• Set up webpage in scanners explaining experiment
• Remove ranges from providers that request so
• Manually check fingerprints
![Page 27: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/27.jpg)
Outline
Evaluation
Intro
Approach
Adversarial Fingerprint Generation
Scanning
![Page 28: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/28.jpg)
Fingerprint Generation Results
Type Source Fam. Pcaps RRPs RRPs
Replayed
Seeds Finger
prints
Malware VirusShare 152 918 1,639 193 19 18
Malware MALICIA 9 1,059 764 602 2 2
Honeyclient MALICIA 6 1,400 42,160 9,497 5 2
Honeyclient UrlQuery 1 4 11 11 1 1
• 23 fingerprints for 13 families (1 UDP, 22 HTTP)
• Families: 3 exploit kits, 10 malware
• Challenges
• No seed server, families with many traces, no replay
![Page 29: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/29.jpg)
• 11 localized scans
• 9 find previously unknown servers
• 11 Internet-wide scans
• 14 hours (4 scanners), 24 hours (3 scanners)
• 151 servers found
• 15 seeds 10x amplification
HTTP Scans Summary
![Page 30: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/30.jpg)
Coverage Comparison
Cyberprobe VirusTotal URLQuery VxVault MDL
151 (100%) 40 (26%) 23 (15%) 1 (0.7%) 1 (0.7%)
4x coverage improvement
![Page 31: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/31.jpg)
Operations
Operation Fingerprints Seeds Servers # Provid. Provider
Locality
bestav 3 6 23 7 3.3
bh2-adobe 1 1 13 7 1.8
bh2-ngen 1 1 2 2 1.0
blackrev 1 1 2 2 1.0
clickpayz 2 2 51 6 8.5
doubleighty 1 1 18 9 2.0
kovter 2 2 9 4 2.2
ironsource 1 1 7 4 1.7
optinstaller 1 1 18 4 2.0
soft196 1 1 8 4 2.0
TOTAL 14 15 151 47 3.2(avg.)
![Page 32: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/32.jpg)
• Affiliate pay-per-install
– Winwebsec, Urausy, other
• 29 servers
– 11 C&C servers
– 16 payment servers
– 2 web servers for affiliates
• 4 hosting providers (C&C,payment)
– A: 6 payment + 5 C&C
– B: 9 payment + 4 C&C
– C: 2 C&C
– D: 1 payment
Example Operation: BestAV
![Page 33: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/33.jpg)
• Blackhole2-ngen
– 2 – 3 servers simultaneously since October’12
• Blackhole2-adobe
– 13 servers
– 3 known to VT, +2 4d later, +1 13d later
• Doubleighty
– 18 servers
– Visit 9 with honeyclient, 7 exploited
– One month later another starts exploiting
Exploit Server Operations
![Page 34: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/34.jpg)
P2P bots Scan Results
Type Date Port Fingerprint Targets SC Rate Time Found
R 03/19 UDP/
16471
zeroaccess 40,448 1 10 1.2h 55
(0.13%)
I 05/03 UDP/
16471
zeroaccess 2,6B 4 50,000 3.6h 7,884
(0.0003%)
![Page 35: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/35.jpg)
Related Work
Scanning
• Leonard et al. IMC ‘10
• Heninger et al. Usenix Security ’12
• Zmap
Fingerprinting
• FiG
• PeerPress
Signature Generation
• Honeycomb, Autograph, EarlyBird,
Polygraph, Hamsa
• Botzilla, Perdisci et al., Firma
![Page 36: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/36.jpg)
• Active probing approach for detecting
malicious servers
• Adversarial fingerprint generation technique
• Implement approach into CyberProbe
• Use CyberProbe to find malicious servers
– 151 servers in 24 localized/Internet-wide scans
– 75% servers unknown to public databases
– 7000+ P2P supernodes
• Identifies provider locality property
Conclusion
![Page 37: CyberProbe: Towards Internet-Scale Active Detection of Malicious Server](https://reader034.fdocuments.net/reader034/viewer/2022052315/5551443db4c905c6268b4c20/html5/thumbnails/37.jpg)
MALICIA Project
• Malware in Cybercrime
• 5 Publications
• Dataset released
• Collaborators:
http://malicia-project.com