Detecting infection onset with behavior-based policies

A major vector of computer infection is through exploiting vulnerable software or design flaws in networked applications such as the browser. Malicious code can be fetched and executed on a victim's machine without the user's permission, as in drive-by download (DBD) attacks. In this paper, we describe a new tool called DeWare (standing for Detection of Malware) for detecting the onset of infection delivered through vulnerable applications. DeWare enforces the dependencies between user actions and system events, such as file-system access and process execution. Our tool can be used to provide real time protection of a personal computer, as well as for diagnosing and evaluating untrusted websites for forensic purposes. Our solution demonstrates a usable host-based framework for controlling and enforcing the access of system resources. We perform extensive experimental evaluation, including a user study with 21 participants, thousands of legitimate websites (for testing false alarms), 84 malicious websites in the wild, as well as lab reproduced exploits. Our results show that DeWare is able to correctly distinguish legitimate download events from unauthorized system events with a low false positive rate (< 1%).

[1]  Deian Stefan,et al.  User-Assisted Host-Based Detection of Outbound Malware Traffic , 2009, ICICS.

[2]  Atul Prakash,et al.  Building systems that flexibly control downloaded executable context , 1996 .

[3]  Trent Jaeger,et al.  Operating System Protection for Fine-Grained Programs , 1998, USENIX Security Symposium.

[4]  Christopher Krügel,et al.  Mitigating Drive-By Download Attacks: Challenges and Open Problems , 2009, iNetSeC.

[5]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[6]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[7]  Xiaoxin Chen,et al.  Automated containment of rootkits attacks , 2008, Comput. Secur..

[8]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[9]  Andreas Dewald,et al.  Forschungsberichte der Fakultät IV – Elektrotechnik und Informatik C UJO : Efficient Detection and Prevention of Drive-by-Download Attacks , 2010 .

[10]  Vinod Yegneswaran,et al.  BLADE: an attack-agnostic approach for preventing drive-by malware infections , 2010, CCS '10.

[11]  Damien Deville,et al.  SpyProxy: Execution-based Detection of Malicious Web Content , 2007, USENIX Security Symposium.

[12]  J. Felson,et al.  Statistical Models and Causal Inference: A Dialogue with the Social Sciences , 2011 .

[13]  Eunjin Jung,et al.  Obfuscated malicious javascript detection using classification techniques , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[14]  Zhenkai Liang,et al.  Expanding Malware Defense by Securing Software Installations , 2008, DIMVA.

[15]  Chengyu Song,et al.  Preventing drive-by download via inter-module communication monitoring , 2010, ASIACCS '10.

[16]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[17]  Christopher Krügel,et al.  Automated Spyware Collection and Analysis , 2009, ISC.

[18]  Zhenkai Liang,et al.  Alcatraz: An Isolated Environment for Experimenting with Untrusted Software , 2009, TSEC.

[19]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[20]  David Evans,et al.  The user is not the enemy: fighting malware by tracking user intentions , 2008, NSPW '08.

[21]  Shouhuai Xu,et al.  Symptoms-Based Detection of Bot Processes , 2010, MMM-ACNS.

[22]  Andy Podgurski,et al.  The Probabilistic Program Dependence Graph and Its Application to Fault Diagnosis , 2008, IEEE Transactions on Software Engineering.

[23]  Konrad Rieck,et al.  Botzilla: detecting the "phoning home" of malicious software , 2010, SAC '10.

[24]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[25]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[26]  Christopher Krügel,et al.  Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks , 2009, DIMVA.

[27]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[28]  Vinod Ganapathy,et al.  OMOS: A Framework for Secure Communication in Mashup Applications , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[29]  V. N. Venkatakrishnan,et al.  Enhancing web browser security against malware extensions , 2007, Journal in Computer Virology.