Can We Go Ahead of Attackers?

Transcription

Can We Go Ahead of Attackers?
Can We Go Ahead of
Attackers?
Towards Proactive Cyber Defense
Guofei Gu
Texas A&M University
2013/9/27
Guofei Gu
Rethinking Proactive Cyber Defense
Roadmap Today
• Introduction
– Rising Cyber threat: Internet malware
– Challenges in cyber defense
– Proactive cyber defense: new research paradigm
• Case Study
– Can we proactively detect compromised computers before they are controlled?
• Summary
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
2
Sea‐Change in Internet Attacks
• Computers on the Internet used to be mere targets
– For fun and fame
• Now they are Resources/Platforms
– For profit
• Most modern cyber crimes are carried out by malware
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
3
What Is Malware
• Malware = Malicious Software
–
–
–
–
–
–
–
–
Viruses
Worms
Trojans
Bots/Botnets
Spyware
Adware
Scareware ...
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
4
Examples: Bots/Botnets
• Bot (Zombie)
– Compromised computer controlled by malware (botcode) without owner consent/knowledge
• Botnets (Bot Armies): Networks of bots controlled by criminals
bot
C&C
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
Botmaster
5
How Powerful Is Malware
• Google uses between 20 and 200 petabytes of disk space
• BlueGene/L (top 5 super computer) has 128,000 computer processor cores and 32 terabytes of RAM
• Storm botnet has the equivalent of one to 10 million 2.8 GHz Pentium 4 processors with one to 10 million petabytes worth of RAM
Source: WashingtonPost report, 2007
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
6
Malware Epidemic
•
•
•
•
•
•
•
More than 95% of all spam
All distributed denial of service (DDoS) attacks
Click fraud
Phishing & pharming attacks
Key logging & data/identity theft
Distributing other malware, e.g., spyware
Anonymized terrorist & criminal communication
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
7
Current largest Internet/Global Threat
• “Attack of zombie computers is growing threat” (New York Times)
• “Why we are losing the botnet battle” (Network World)
• The annual financial loss for US organizations amounts to hundreds of millions of dollars.
(CSI/FBI Computer Crime and Security Survey, Dec. 2009)
• “25% of Internet PCs are part of a botnet” (Vint Cerf)
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
8
Internet Security: Broken Assumptions
• Internet infrastructure (e.g., DNS, BGP) is trustworthy
– DNS is more vulnerable than you think …
• Computers are secure when using up‐to‐date AV/firewall
– Not really
• Attackers are for fun and fame
– Profit, profit, profit!
• Attackers have limited/bounded computing power
– They hare almost unbounded(?) power
• Attacks from isolated computers
– The network is attacking you
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
9
Asymmetries of Security
• Defenders are reactive, attackers are proactive
• New defenses are expensive, new attacks are cheap
• Defenses can’t be measured, but attacks can
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
10
New Research Paradigm Needed
• We need to develop the “game changing” approaches to address challenges we now face
• Why reactive? Why passive?
• Proactive cyber defense
– Precisely understanding active threats
– Actively identify threats
– Predict future threats
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
11
Malware Attack Phases
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
12
Proactive Cyber Defense
(Proactive) Defense In Depth
Prevent
Can we proactively
identify the rootcause of attacks?
2013/9/27
Guofei Gu
Detect
Can we detect
compromised
computers before
they are
controlled?
Towards Proactive Cyber Defense
Response
Can we learn
from history
and predict
future threats?
13
Case Study
• Can we detect malware at an early stage before it is controlled (to carry out malicious activities)?
• Our answer: yes 2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
14
Current Research on Detection
Network-level Detection
• Perform Clustering and Correlation to identify suspicious traffic
- Apply multiple statistics techniques.
- Fail in front of encryption, pattern manipulation.
• Structure/Graph Analysis
- Only P2P structure regardless of whether the traffic is malicious.
- Requires tremendous resources, such as global ISP-level cooperation
Host-level Detection
• Signatures Matching
- Suffer from obfuscation/polymorphism.
• Runtime Behavior Matching
- Typically Expensive
• Both Require Client-side Installation
- Not Scalable for Large-Scale Deployment
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
15
Our Approach
Is it possible to combine the strength of both approaches?
• Host-level Dynamic Analysis
- Insight: P2P malware has build-in remotely-accessible logic for peer
communication/control.
- Target: Extract the access/control conversation logic as detection
evidence.
• Network-level Active, Informed Probing
- Insight: P2P malware has to open some port
- Target: Actively probe machine in the network to detect malware-infected
machines
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
16
Our Approach
Overview of PeerPress System
Analyze two logic components:
Dynamic Analysis
P1: Open Service Port
P2: Parse request and generate response
Malware Control Birthmark:
Portprint: Port that malware listens on
MCB probing: Request-and-Response Pair
MCB-assisted network probing
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
17
Advantage of Our Approach
Fast and Proactive
• Apply probing technique to make the detection as fast as
network scanning.
•
Able to detect malware even before the start of malicious
communication/activity.
Reliable
• Probing content is extracted directly from malware binary.
• Control logic is usually unique to each malware family.
Scalable
• Easy for large-scale deployment.
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
18
Why PeerPress?
Dynamic Analysis
• Analyze Malware Peer’s Logic to find MCB against
themselves.
Informed Active Probing
• Scan the Peers’ Machine to press them expose the
malware-infected machine.
Not only Applicable to P2P Malware
• Trojan Horses or any malware that contains Malware Control
Birthmark
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
19
System : Portprint Extraction
Challenges: Malware binds to different port
Algorithmically-Deterministic
Random
Static
…
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
20
System : Portprint Extraction
Solution: Backward Taint Analysis + Program Slicing
bind()
1. Execution Trace Collection from Malware Booting to Port Bind
System/Library Calls whose
Parameter has Semantic Meaning
Constant Value
2. Backward Taint Analysis
Many-unknown-sources-to-one-known Sink
Read-only Segment
…..
3. Derive Portprint Type and
Source of Data Dependence
4. Program Slicing and Port Generation Logics Extraction
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
21
System : MCB Probing Extraction
Challenges
Random Packet
Probing
Packet Processing Logic
Termination
Send Response
No Response
MCB Paths: All possible execution paths from packet receiving to packet
transmitting
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
22
System : ICE
Traditional Multipath Exploration
Trigger-to-unknown
Exploration Model
Send Response
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
23
System : ICE
Our Informed enforCed Execution(ICE) Scheme
Trigger-to-known Exploration
Model
2. MCB Path Stitches
1. Foresee: Breadth-first
Forward Analysis
Send Response
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
24
System : ICE
How to Quickly Find the Send out Routine
Insight: From the booting of P2P Malware, it starts sending out packets
for peer communication. Such observable sending out routine may be
reused in its server logic.
We define Function Container:
Any desired or undesired sinkholing system/library calls are function
containers, such as send() or closesocket()
The function directly or indirectly contains an existing function
container.
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
25
System : ICE
Path Foreseeing
Online Enforced Execution to explore MCB paths
Foreseeing, look forward, k code blocks
to search for the calls to any recorded function container.
Contain High
Preference FC
Contain Low
Preference FC
Normal Code block
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
26
System : ICE
Stitching Dynamic Symbolic Execution
• Expand all possible paths that are sensitive to tainted packets bytes
(related to network packets)
• Apply combination of concrete and symbolic execution to filter out
Invalid and Unreachable paths.
• Reconstruct MCB probing based on symbolic equations.
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
27
System : MCB Probing Extraction
Verifier: Filtering False Positive Cases
• First round:
Verify whether probing packets can trigger the malware to execute
the MCB path.
• Second round:
Verify whether the reply is unique or not.
+ Probe benign software and make sure their replies are different.
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
28
Evaluation
Real world P2P Malware and Trojan Horse Families
Name
Type
Name
Type
Conficker
P2P Bot
Nugache
P2P Bot
Phabot
P2P Bot
Sality
P2P Bot
NuclearRAT
Trojan Horse
BackOrfice
Trojan Horse
Penumbra
Trojan Hose
Storm/Peacomm P2P Bot
NuCrypt
Trojan
Horse/Worm
Wopla
Trojan Horse
WinCrash
Trojan Horse
WinEggDrop
Spyware
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
29
Evaluation
Effectiveness of Portprint Extraction
Malware
Type
Port Number
Conficker
algorithms
46523/TCP, 18849/UDP
Nugache
static, random
8/TCP, 3722/TCP
Sality
algorithms
6162/UDP
Phabot
random
1999/TCP
Storm/Peacomm
static
7871, 11217/UDP
BackOrfice
static
31337/TCP
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
30
Evaluation
Effectiveness of ICE
• We set the maximum call depth for function containers as 4:
Locate average 28 function containers per malware sample
• Overhead:
Compare ICE with Multipath Explorations
Measure the number of rounds to generate one MCB path
6000
# of rounds
ICE
Multi-path
4000
2000
0
Conficker
2013/9/27
Nugache
Guofei Gu
Phabot
Peacomm
Backorifice NuclearRAT
Towards Proactive Cyber Defense
31
Evaluation
Outcome of MCB
Malware
# of MCB
Malware
# of MCB
Conficker
3
Peacomm
3
Sality
1
BackOrifice
14
Phabot
9
NuclearRAT
12
WinEggDrop
8
Penumbra
13
Nugache
7
WinCrash
1
NuCrypt
2
Wopla
2
Guofei Gu
Towards Proactive Cyber Defense
2013/9/27
32
Evaluation
Detection Results through Active Probing
In Virtual Networks
Install samples for each family on our virtual environment
Install well-known benign server software, such as Apache,
eMule.
Detection Results:
PeerPress correctly detects all the exsiting malware
Average 1.103 seconds to detect each malware
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
33
Evaluation
False Positive Test
In Real Networks of our Campus
Scan 3 /24 networks using extracted MCBs
Scan common ports for HTTP, P2P, FTP services
Results:
No false positives
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
34
Evaluation
Comparison with State-of-the-art Detection System
Deploy State-of-the-art network based system,
BotHunter, in the virtual network
Results:
No malware detected.
Discussion:
Reasonable result, because Bothunter needs
collecting enough network traffic for evidence.
PeerPress is more proactive.
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
35
PeerPress Summary
• We propose a novel two-phase detection framework
for P2P Malware.
• PeerPress combines the merits of both dynamic binary
analysis and network-level informed active probing.
• We develop techniques such as ICE to improve the
analysis performance.
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
36
Conclusion
• Traditional approaches are not enough
• We need “game changing” approaches – Proactive cyber defense is a good complementary approach to existing ones
– Precisely understanding active threats
– Actively identify threats
– Predict future threats
• Can we go ahead of malware/attacker?
• Can we proactively identify threats?
– Infected machines (talked today)
– Malicious servers (ongoing)
2013/9/27
Guofei Gu
Towards Proactive Cyber Defense
37
Conclusion
(Proactive) Defense In Depth
Prevent
Can we proactively
identify the rootcause of attacks?
2013/9/27
Guofei Gu
Detect
Can we detect
compromised
computers before
they are
controlled?
Towards Proactive Cyber Defense
Response
Can we learn
from history
and predict
future threats?
38
Thanks!
Http://faculty.cse.tamu.edu/guofei
2013/9/27
Guofei Gu
Rethinking Proactive Cyber Defense