CAMP: Content-Agnostic Malware Protection

--In spite of recent advances, the world wide web remains an important vector for malware installation. Approaches to evaluating potentially malicious code before execution in a browser, such as blacklisting or content-based detection are hindered by an attacker’s ability to easily change hosting domains or mutate malware binaries. On the other hand, whitelistbased approaches are challenged by the large, dynamic, and heterogeneous space of benign binaries that they must track. In practice these approaches continue to provide value for popular binaries at either extreme of maliciousness (e.g., the current large outbreak of malware, the benign binaries shipped with an OS), but bridging the gap between whitelist and blacklist detection for web malware remains a significant challenge. This paper presents CAMP, a content-agnostic malware protection system based on binary reputation that is designed to address these shortcomings. CAMP is built into the browser and determines the reputation of most downloads locally, relying on server-side reputation data only when a local decision cannot be made. This paper gives a detailed overview of CAMP and its architecture and provides an evaluation of the system through a six-month deployment in which 200 million users of Google Chrome requested between eight to ten million reputation requests a day. Our evaluation shows that CAMP exhibits accuracy close to 99% relative to proprietary VM-based dynamic analysis, is able to process requests in less than 130 ms on average, and was able to detect approximately five million intentional malware downloads per month that were not detected by existing solutions.

[1]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[2]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[3]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[4]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[5]  Peter Ferrie Attacks on More Virtual Machine Emulators , 2007 .

[6]  Farnam Jahanian,et al.  CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.

[7]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[8]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[9]  Wilson C. Hsieh,et al.  Bigtable: A Distributed Storage System for Structured Data , 2006, TOCS.

[10]  Alexander G. Gray,et al.  Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine , 2009, USENIX Security Symposium.

[11]  Adam Barth,et al.  Browser security , 2009, Commun. ACM.

[12]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[13]  Cristina Nita-Rotaru,et al.  A survey of attack and defense techniques for reputation systems , 2009, CSUR.

[14]  Angelos D. Keromytis,et al.  An Analysis of Rogue AV Campaigns , 2010, RAID.

[15]  Vinod Yegneswaran,et al.  BLADE: an attack-agnostic approach for preventing drive-by malware infections , 2010, CCS '10.

[16]  Fang Yu,et al.  On Network-level Clusters for Spam Detection , 2010, NDSS.

[17]  Xin Zhao,et al.  The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution , 2010, LEET.

[18]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[19]  Nezer Zaidenberg,et al.  An efficient VM-based software protection , 2011, 2011 5th International Conference on Network and System Security.

[20]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[21]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[22]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[23]  Chris Kanich,et al.  Show Me the Money: Characterizing Spam-advertised Revenue , 2011, USENIX Security Symposium.

[24]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[25]  Wenke Lee,et al.  Impeding Automated Malware Analysis with Environment-sensitive Malware , 2012, HotSec.