Can We Go Ahead of Attackers?
Transcription
Can We Go Ahead of Attackers?
Can We Go Ahead of Attackers? Towards Proactive Cyber Defense Guofei Gu Texas A&M University 2013/9/27 Guofei Gu Rethinking Proactive Cyber Defense Roadmap Today • Introduction – Rising Cyber threat: Internet malware – Challenges in cyber defense – Proactive cyber defense: new research paradigm • Case Study – Can we proactively detect compromised computers before they are controlled? • Summary 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 2 Sea‐Change in Internet Attacks • Computers on the Internet used to be mere targets – For fun and fame • Now they are Resources/Platforms – For profit • Most modern cyber crimes are carried out by malware 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 3 What Is Malware • Malware = Malicious Software – – – – – – – – Viruses Worms Trojans Bots/Botnets Spyware Adware Scareware ... 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 4 Examples: Bots/Botnets • Bot (Zombie) – Compromised computer controlled by malware (botcode) without owner consent/knowledge • Botnets (Bot Armies): Networks of bots controlled by criminals bot C&C 2013/9/27 Guofei Gu Towards Proactive Cyber Defense Botmaster 5 How Powerful Is Malware • Google uses between 20 and 200 petabytes of disk space • BlueGene/L (top 5 super computer) has 128,000 computer processor cores and 32 terabytes of RAM • Storm botnet has the equivalent of one to 10 million 2.8 GHz Pentium 4 processors with one to 10 million petabytes worth of RAM Source: WashingtonPost report, 2007 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 6 Malware Epidemic • • • • • • • More than 95% of all spam All distributed denial of service (DDoS) attacks Click fraud Phishing & pharming attacks Key logging & data/identity theft Distributing other malware, e.g., spyware Anonymized terrorist & criminal communication 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 7 Current largest Internet/Global Threat • “Attack of zombie computers is growing threat” (New York Times) • “Why we are losing the botnet battle” (Network World) • The annual financial loss for US organizations amounts to hundreds of millions of dollars. (CSI/FBI Computer Crime and Security Survey, Dec. 2009) • “25% of Internet PCs are part of a botnet” (Vint Cerf) 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 8 Internet Security: Broken Assumptions • Internet infrastructure (e.g., DNS, BGP) is trustworthy – DNS is more vulnerable than you think … • Computers are secure when using up‐to‐date AV/firewall – Not really • Attackers are for fun and fame – Profit, profit, profit! • Attackers have limited/bounded computing power – They hare almost unbounded(?) power • Attacks from isolated computers – The network is attacking you 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 9 Asymmetries of Security • Defenders are reactive, attackers are proactive • New defenses are expensive, new attacks are cheap • Defenses can’t be measured, but attacks can 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 10 New Research Paradigm Needed • We need to develop the “game changing” approaches to address challenges we now face • Why reactive? Why passive? • Proactive cyber defense – Precisely understanding active threats – Actively identify threats – Predict future threats 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 11 Malware Attack Phases 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 12 Proactive Cyber Defense (Proactive) Defense In Depth Prevent Can we proactively identify the rootcause of attacks? 2013/9/27 Guofei Gu Detect Can we detect compromised computers before they are controlled? Towards Proactive Cyber Defense Response Can we learn from history and predict future threats? 13 Case Study • Can we detect malware at an early stage before it is controlled (to carry out malicious activities)? • Our answer: yes 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 14 Current Research on Detection Network-level Detection • Perform Clustering and Correlation to identify suspicious traffic - Apply multiple statistics techniques. - Fail in front of encryption, pattern manipulation. • Structure/Graph Analysis - Only P2P structure regardless of whether the traffic is malicious. - Requires tremendous resources, such as global ISP-level cooperation Host-level Detection • Signatures Matching - Suffer from obfuscation/polymorphism. • Runtime Behavior Matching - Typically Expensive • Both Require Client-side Installation - Not Scalable for Large-Scale Deployment 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 15 Our Approach Is it possible to combine the strength of both approaches? • Host-level Dynamic Analysis - Insight: P2P malware has build-in remotely-accessible logic for peer communication/control. - Target: Extract the access/control conversation logic as detection evidence. • Network-level Active, Informed Probing - Insight: P2P malware has to open some port - Target: Actively probe machine in the network to detect malware-infected machines 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 16 Our Approach Overview of PeerPress System Analyze two logic components: Dynamic Analysis P1: Open Service Port P2: Parse request and generate response Malware Control Birthmark: Portprint: Port that malware listens on MCB probing: Request-and-Response Pair MCB-assisted network probing 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 17 Advantage of Our Approach Fast and Proactive • Apply probing technique to make the detection as fast as network scanning. • Able to detect malware even before the start of malicious communication/activity. Reliable • Probing content is extracted directly from malware binary. • Control logic is usually unique to each malware family. Scalable • Easy for large-scale deployment. 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 18 Why PeerPress? Dynamic Analysis • Analyze Malware Peer’s Logic to find MCB against themselves. Informed Active Probing • Scan the Peers’ Machine to press them expose the malware-infected machine. Not only Applicable to P2P Malware • Trojan Horses or any malware that contains Malware Control Birthmark 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 19 System : Portprint Extraction Challenges: Malware binds to different port Algorithmically-Deterministic Random Static … 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 20 System : Portprint Extraction Solution: Backward Taint Analysis + Program Slicing bind() 1. Execution Trace Collection from Malware Booting to Port Bind System/Library Calls whose Parameter has Semantic Meaning Constant Value 2. Backward Taint Analysis Many-unknown-sources-to-one-known Sink Read-only Segment ….. 3. Derive Portprint Type and Source of Data Dependence 4. Program Slicing and Port Generation Logics Extraction 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 21 System : MCB Probing Extraction Challenges Random Packet Probing Packet Processing Logic Termination Send Response No Response MCB Paths: All possible execution paths from packet receiving to packet transmitting 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 22 System : ICE Traditional Multipath Exploration Trigger-to-unknown Exploration Model Send Response 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 23 System : ICE Our Informed enforCed Execution(ICE) Scheme Trigger-to-known Exploration Model 2. MCB Path Stitches 1. Foresee: Breadth-first Forward Analysis Send Response 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 24 System : ICE How to Quickly Find the Send out Routine Insight: From the booting of P2P Malware, it starts sending out packets for peer communication. Such observable sending out routine may be reused in its server logic. We define Function Container: Any desired or undesired sinkholing system/library calls are function containers, such as send() or closesocket() The function directly or indirectly contains an existing function container. 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 25 System : ICE Path Foreseeing Online Enforced Execution to explore MCB paths Foreseeing, look forward, k code blocks to search for the calls to any recorded function container. Contain High Preference FC Contain Low Preference FC Normal Code block 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 26 System : ICE Stitching Dynamic Symbolic Execution • Expand all possible paths that are sensitive to tainted packets bytes (related to network packets) • Apply combination of concrete and symbolic execution to filter out Invalid and Unreachable paths. • Reconstruct MCB probing based on symbolic equations. 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 27 System : MCB Probing Extraction Verifier: Filtering False Positive Cases • First round: Verify whether probing packets can trigger the malware to execute the MCB path. • Second round: Verify whether the reply is unique or not. + Probe benign software and make sure their replies are different. 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 28 Evaluation Real world P2P Malware and Trojan Horse Families Name Type Name Type Conficker P2P Bot Nugache P2P Bot Phabot P2P Bot Sality P2P Bot NuclearRAT Trojan Horse BackOrfice Trojan Horse Penumbra Trojan Hose Storm/Peacomm P2P Bot NuCrypt Trojan Horse/Worm Wopla Trojan Horse WinCrash Trojan Horse WinEggDrop Spyware 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 29 Evaluation Effectiveness of Portprint Extraction Malware Type Port Number Conficker algorithms 46523/TCP, 18849/UDP Nugache static, random 8/TCP, 3722/TCP Sality algorithms 6162/UDP Phabot random 1999/TCP Storm/Peacomm static 7871, 11217/UDP BackOrfice static 31337/TCP 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 30 Evaluation Effectiveness of ICE • We set the maximum call depth for function containers as 4: Locate average 28 function containers per malware sample • Overhead: Compare ICE with Multipath Explorations Measure the number of rounds to generate one MCB path 6000 # of rounds ICE Multi-path 4000 2000 0 Conficker 2013/9/27 Nugache Guofei Gu Phabot Peacomm Backorifice NuclearRAT Towards Proactive Cyber Defense 31 Evaluation Outcome of MCB Malware # of MCB Malware # of MCB Conficker 3 Peacomm 3 Sality 1 BackOrifice 14 Phabot 9 NuclearRAT 12 WinEggDrop 8 Penumbra 13 Nugache 7 WinCrash 1 NuCrypt 2 Wopla 2 Guofei Gu Towards Proactive Cyber Defense 2013/9/27 32 Evaluation Detection Results through Active Probing In Virtual Networks Install samples for each family on our virtual environment Install well-known benign server software, such as Apache, eMule. Detection Results: PeerPress correctly detects all the exsiting malware Average 1.103 seconds to detect each malware 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 33 Evaluation False Positive Test In Real Networks of our Campus Scan 3 /24 networks using extracted MCBs Scan common ports for HTTP, P2P, FTP services Results: No false positives 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 34 Evaluation Comparison with State-of-the-art Detection System Deploy State-of-the-art network based system, BotHunter, in the virtual network Results: No malware detected. Discussion: Reasonable result, because Bothunter needs collecting enough network traffic for evidence. PeerPress is more proactive. 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 35 PeerPress Summary • We propose a novel two-phase detection framework for P2P Malware. • PeerPress combines the merits of both dynamic binary analysis and network-level informed active probing. • We develop techniques such as ICE to improve the analysis performance. 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 36 Conclusion • Traditional approaches are not enough • We need “game changing” approaches – Proactive cyber defense is a good complementary approach to existing ones – Precisely understanding active threats – Actively identify threats – Predict future threats • Can we go ahead of malware/attacker? • Can we proactively identify threats? – Infected machines (talked today) – Malicious servers (ongoing) 2013/9/27 Guofei Gu Towards Proactive Cyber Defense 37 Conclusion (Proactive) Defense In Depth Prevent Can we proactively identify the rootcause of attacks? 2013/9/27 Guofei Gu Detect Can we detect compromised computers before they are controlled? Towards Proactive Cyber Defense Response Can we learn from history and predict future threats? 38 Thanks! Http://faculty.cse.tamu.edu/guofei 2013/9/27 Guofei Gu Rethinking Proactive Cyber Defense