SlideShare a Scribd company logo

Analyzing and Defending from Modern Internet Threats

NECST Lab @ Politecnico di Milano, profile picture
NECST Lab @ Politecnico di Milano

The document presents research by Andrea Continella on analyzing and defending against modern internet threats, focusing on malware detection, ransomware, and mobile privacy leaks. It discusses system security research conducted by a group at UC Berkeley, highlighting various detection methods and the development of a self-healing virtual file system to combat ransomware. The research emphasizes the importance of transitioning malware detection from software to hardware for improved security and resilience against evolving threats.

Engineering
1 of 56
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Analyzing and Defending from Modern Internet Threats Andrea Continella andrea.continella@polimi.it 23-May-2018 @ UC Berkeley
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Who we are? ● System Security Research Group ○ 1 Associate Professor ○ 3 Postdoctoral Researchers ○ 3 (almost 4) PhD Students ○ 15+ Master Students ● Research Lines: ○ Malware and Threat Analysis ○ Frauds Analysis and Detection ○ Mobile Security ○ Security of Cyber-physical systems ● Hacking Activities (aka CTF) ○ Tower of Hanoi ~> http://toh.necst.it/ ○ mHACKeroni
Ransomware
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella FS Activity Monitor ● Windows Kernel module to monitor and log the file system activity ○ Windows Minifilter Driver ○ Log IRPs (I/O Request Packets) Process Hardware Storage Driver File System Filter Manager I/O Manager Kernel mode User mode
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Ransomware vs. Benign Apps Storage Driver File System IRPLogger I/O Manager Kernel mode User mode Benign Ransomware? ? ? Disk drive
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Ransomware vs Benign Apps Feature Values Frequency (1) # Folder listing Feature Values Frequency Feature Values Frequency Feature Values Frequency Feature Values Frequency Feature Values Frequency Benign Ransomware (2) # Files Read (3) # Files Written (4) # Files Renamed (5) File Type Coverage (6) Write Entropy
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ShieldFS: Healing Approach
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ShieldFS: Healing Approach
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella File Recovery Workflow Unknown Start
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella File Recovery Workflow Monitor & COW on first write Unknown Start
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella File Recovery Workflow Monitor & COW on first write Unknown ShieldFS Detector Start
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella File Recovery Workflow Monitor & COW on first write Unknown ShieldFS DetectorMalicious Restore original copies Start
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella File Recovery Workflow Monitor & COW on first write Unknown ShieldFS DetectorMalicious Restore original copies Benign Clean old copies Start
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Detection & Recovery Capabilities ● 1483 unseen samples ○ Locky, TeslaCrypt, CryptoLocker, Critroni, TorrentLocker, CryptoWall, Troldesh, CryptoDefense, PayCrypt, DirtyDecrypt, ZeroLocker, Cerber, WannaCry ● Files protected: always 100% ○ Even in case of missed detection ● Detection rate: 1436/1483, 96.9%
Are we safe now?
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Limitations of Software-based Detectors Kernel Hardware Detector OS App
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Limitations of Software-based Detectors Kernel Hardware Detector OS App
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Limitations of Software-based Detectors Kernel Hardware Detector OS App
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Limitations of Software-based Detectors
Can we move malware detectors toward the hardware level?
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Access physical memory with an external device through PCIe Monitoring Physical Memory CPU Root Complex Memory PCIe endpoint PCIe endpoint
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Access physical memory with an external device through PCIe Monitoring Physical Memory 4cf8eafbfa631312 10e669b3e98b67f6 82097ae3fe87145c 8c2fd30bf67781d7 b7bade6b459548f0 2828d603887a888a Semantic Reconstruction Raw memory Data Structures ● Live memory forensics - Filling the semantic gap CPU Root Complex Memory PCIe endpoint PCIe endpoint
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process ● Self-modifying Code: uncompress or decrypt code
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process ● Self-modifying Code: uncompress or decrypt code
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process ● Self-modifying Code: uncompress or decrypt code
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process ● Persistence: rerun across reboots ● Self-modifying Code: uncompress or decrypt code
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Experimental Setup PCIe USB Target/Protected Machine (Win 8.1) Physical Memory Reader Malware Detector USB3380
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Results Overview Dataset: 2050 samples: ● Arancino dataset ~> 500 samples ● Quincy dataset ~> 73 samples ● VirusTotal ~> 1477 samples
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Next? PCIe Target/Protected Machine FPGA-based Detector
Mobile Privacy Leaks
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Mobile Privacy Leak Detection ● Mobile apps are known to leak private information over the network (e.g., IMEI, Location, Contacts) ● Researchers developed approaches to detect them ○ Static taint analysis ○ Dynamic taint analysis
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Mobile Privacy Leak Detection ● Mobile apps are known to leak private information over the network (e.g., IMEI, Location, Contacts) ● Researchers developed approaches to detect them ○ Static taint analysis ○ Dynamic taint analysis ● Recently, network-based detection ○ Leaked values need to flow through the network
http://i.w.inmobi.com/showad.asm?u-id-map=i B7WTkCLJvNsaEQakKKXFhk8ZEIZlnL0jqbbYexcBAXY HH4wSKyCDWVfp+q+FeLFTQV6jS2Xg97liEzDkw+XNTg he9ekNyMnjypmgiu7xBS1TcwZmFxYOjJkgPOzkI9j2l ryBaLlAJBSDkEqZeMVvcjcNkx+Ps6SaTRzBbYf8UY=& u-key-ver=2198564
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Identify privacy leaks in a way that is resilient to obfuscation | encoding | encryption ● Perform black-box differential analysis 1. Establish a baseline of the network behavior 2. Modify sources of private information 3. Detect leaks observing differences in network traffic Our Approach
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Identify privacy leaks in a way that is resilient to obfuscation | encoding | encryption ● Perform black-box differential analysis 1. Establish a baseline of the network behavior 2. Modify sources of private information 3. Detect leaks observing differences in network traffic Our Approach APPIMEI: 12345678
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Identify privacy leaks in a way that is resilient to obfuscation | encoding | encryption ● Perform black-box differential analysis 1. Establish a baseline of the network behavior 2. Modify sources of private information 3. Detect leaks observing differences in network traffic Our Approach APPIMEI: 12345678 http://host.com/?id=39979edb58
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Identify privacy leaks in a way that is resilient to obfuscation | encoding | encryption ● Perform black-box differential analysis 1. Establish a baseline of the network behavior 2. Modify sources of private information 3. Detect leaks observing differences in network traffic Our Approach APPIMEI: 12345678 http://host.com/?id=39979edb58 APPIMEI: 98765432
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Identify privacy leaks in a way that is resilient to obfuscation | encoding | encryption ● Perform black-box differential analysis 1. Establish a baseline of the network behavior 2. Modify sources of private information 3. Detect leaks observing differences in network traffic Our Approach APPIMEI: 12345678 http://host.com/?id=39979edb58 APPIMEI: 98765432 http://host.com/?id=bae6a29c9b
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Network traffic is non-deterministic ● The output changes even if you don't change the source ● Cannot pin a change in the output to a specific change in the input Not so easy...
We found that non-determinism can be often explained and removed, making differential analysis possible.
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values Timing values
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values Timing values Network values
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values Timing values Network values System values
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values Timing values Network values System values Encryption
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values Timing values Network values System values Encryption Executions
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Comparison with Existing Tools Our approach (Agrigento) detected many more apps && we manually verified most of them were true positives!
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Case Study: ThreatMetrix https://h.online-metrix.net/fp/clear.png?ja=33303426773f3a39 30643667663b33383831303d343526613f2d363830247a3f363026663d33 3539347a31323838266c603d687c7672253163253066253066616f6e7465 6e762f6a732c746370626f7926636f652466723f6a747670253161273266 253266616d6d2e65616f656b69726b7573267270697867636e617730266a 683d65616437613732316431353c65613a31386e67606563303736363936 34343363266d64643f6561633336303b64336a3935316663303666636137 3261363a61616335636761266d66733f353b32306d383230613230643b65 34643934383a31663636623b32323767616126616d65613d313933333133 3331333131333133312661743d6365656e765f6f6f6a696c6d26617e3f76 72777174666566676e6665722b6d6f606b6c652733632b392e3226342d3b ...
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Case Study: ThreatMetrix 1. IMEI, Location, MAC address ~> HashMap 2. XOR HashMap with a randomly generated key 3. Hex-encode HashMap 4. Send obfuscated HashMap & random key https://h.online-metrix.net/fp/clear.png?ja=33303426773f3a3930643667663b3338 3831303d343526613f2d363830247a3f363026663d333539347a31323838266c603d687c7672 253163253066253066616f6e74656e762f6a732c746370626f7926636f652466723f6a747670 253161273266253266616d6d2e65616f656b69726b7573267270697867636e617730266a683d 65616437613732316431353c65613a31386e6760656330373636393634343363266d64643f65 61633336303b64336a39353166633036666361373261363a61616335636761266d66733f353b 32306d383230613230643b6534643934383a31663636623b32323767616126616d65613d3139 333331333331333131333133312661743d6365656e765f6f6f6a696c6d26617e3f7672777174 666566676e6665722b6d6f606b6c652733632b392e3226342d3b...
NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● We need generic and automated solutions to fight evolving threats ● Ransomware Generic models to identify ransomware Pure detection is not enough ~> Self-healing virtual FS ● OS might be untrusted ~> move detectors toward the hardware level ● Mobile Privacy Leak ○ Non-Determinism in network traffic can be removed ○ Black-box, obfuscation-resilient approach Conclusions
Thanks! Questions? Andrea Continella andrea.continella@polimi.it https://conand.me @_conand

More Related Content

PDF
IPv6 Security Talk mit Joe Klein
Digicomp Academy AG
 
PDF
NTXISSACSC4 - A Brief History of Cryptographic Failures
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
North Texas Chapter of the ISSA
 
PPTX
Crypto failures every developer should avoid
Filip Šebesta
 
PDF
"Giving the bad guys no sleep"
Christiaan Beek
 
PDF
System Security @ NECSTLab
NECST Lab @ Politecnico di Milano
 
PDF
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
PDF
Offensive malware usage and defense
Christiaan Beek
 
IPv6 Security Talk mit Joe Klein
Digicomp Academy AG
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
North Texas Chapter of the ISSA
 
Crypto failures every developer should avoid
Filip Šebesta
 
"Giving the bad guys no sleep"
Christiaan Beek
 
System Security @ NECSTLab
NECST Lab @ Politecnico di Milano
 
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
Offensive malware usage and defense
Christiaan Beek
 

What's hot (20)

PDF
The Duqu 2.0: Technical Details
Kaspersky
 
PDF
How to protect your business from Wannacry Ransomware
Kaspersky
 
PDF
Toward Hardware-based Malware Detection through Memory Forensics
NECST Lab @ Politecnico di Milano
 
PDF
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE - ATT&CKcon
 
PDF
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
North Texas Chapter of the ISSA
 
PDF
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
PPTX
Malware Analysis
Ramin Farajpour Cami
 
PDF
Bsides
Roberto Sponchioni
 
PDF
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
Priyanka Aash
 
PPTX
How to assign a CVE to yourself?
Ramin Farajpour Cami
 
PDF
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
PPTX
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 
PPTX
A Brief History of Cryptographic Failures
Nothing Nowhere
 
PDF
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Roberto Sponchioni
 
PDF
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE - ATT&CKcon
 
PPTX
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
PDF
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
PDF
Stranger Danger (NodeSummit, 2016)
Guy Podjarny
 
PDF
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
PDF
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
The Duqu 2.0: Technical Details
Kaspersky
 
How to protect your business from Wannacry Ransomware
Kaspersky
 
Toward Hardware-based Malware Detection through Memory Forensics
NECST Lab @ Politecnico di Milano
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE - ATT&CKcon
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
North Texas Chapter of the ISSA
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
Malware Analysis
Ramin Farajpour Cami
 
Bsides
Roberto Sponchioni
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
Priyanka Aash
 
How to assign a CVE to yourself?
Ramin Farajpour Cami
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 
A Brief History of Cryptographic Failures
Nothing Nowhere
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Roberto Sponchioni
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE - ATT&CKcon
 
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Stranger Danger (NodeSummit, 2016)
Guy Podjarny
 
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Ad

Similar to Analyzing and Defending from Modern Internet Threats (20)

PDF
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
NECST Lab @ Politecnico di Milano
 
PPTX
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
HackIT Ukraine
 
PDF
Scaling ML-Based Threat Detection For Production Cyber Attacks
Databricks
 
PDF
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
Jakub "Kuba" Sendor
 
PDF
Cloud Intrusion Detection Reloaded - 2018
randomuserid
 
PDF
SF Bay Area Splunk User Group Meeting October 5, 2022
Becky Burwell
 
PDF
AI on Spark for Malware Analysis and Anomalous Threat Detection
Databricks
 
PDF
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
PDF
Hardening Three - IDS/IPS Technologies
Salvatore Lentini
 
PDF
OSINT Basics for Threat Hunters and Practitioners
Megan DeBlois
 
PPTX
Disruptionware-TRustedCISO103020v0.7.pptx
Debra Baker, CISSP CSSP
 
PDF
Digital Twins for Security Automation
Kim Hammar
 
PDF
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
DefCamp
 
PDF
Florencio Cano - Patient data security in a wireless and mobile world
WTHS
 
PPTX
Malware Most Wanted: Security Ecosystem
Cyphort
 
PDF
Self-Learning Systems for Cyber Security
Kim Hammar
 
PDF
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
Savvius, Inc
 
PDF
Day 2 Operations for Kubernetes Networking with Cilium
Tomasz Tarczyński
 
PDF
BSIT3CD_Continuation of Cyber incident response (1).pdf
StevenJoeBiago
 
PPTX
Cybercrime
TouqeerAhmed30
 
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
NECST Lab @ Politecnico di Milano
 
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
HackIT Ukraine
 
Scaling ML-Based Threat Detection For Production Cyber Attacks
Databricks
 
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
Jakub "Kuba" Sendor
 
Cloud Intrusion Detection Reloaded - 2018
randomuserid
 
SF Bay Area Splunk User Group Meeting October 5, 2022
Becky Burwell
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
Databricks
 
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
Hardening Three - IDS/IPS Technologies
Salvatore Lentini
 
OSINT Basics for Threat Hunters and Practitioners
Megan DeBlois
 
Disruptionware-TRustedCISO103020v0.7.pptx
Debra Baker, CISSP CSSP
 
Digital Twins for Security Automation
Kim Hammar
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
DefCamp
 
Florencio Cano - Patient data security in a wireless and mobile world
WTHS
 
Malware Most Wanted: Security Ecosystem
Cyphort
 
Self-Learning Systems for Cyber Security
Kim Hammar
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
Savvius, Inc
 
Day 2 Operations for Kubernetes Networking with Cilium
Tomasz Tarczyński
 
BSIT3CD_Continuation of Cyber incident response (1).pdf
StevenJoeBiago
 
Cybercrime
TouqeerAhmed30
 
Ad

More from NECST Lab @ Politecnico di Milano (20)

PDF
Mesticheria Team - WiiReflex
NECST Lab @ Politecnico di Milano
 
PPTX
Punto e virgola Team - Stressometro
NECST Lab @ Politecnico di Milano
 
PDF
BitIt Team - Stay.straight
NECST Lab @ Politecnico di Milano
 
PDF
BabYodini Team - Talking Gloves
NECST Lab @ Politecnico di Milano
 
PDF
printf("Nome Squadra"); Team - NeoTon
NECST Lab @ Politecnico di Milano
 
PPTX
BlackBoard Team - Motion Tracking Platform
NECST Lab @ Politecnico di Milano
 
PDF
#include<brain.h> Team - HomeBeatHome
NECST Lab @ Politecnico di Milano
 
PDF
Flipflops Team - Wave U
NECST Lab @ Politecnico di Milano
 
PDF
Bug(atta) Team - Little Brother
NECST Lab @ Politecnico di Milano
 
PDF
#NECSTCamp: come partecipare
NECST Lab @ Politecnico di Milano
 
PDF
NECSTCamp101@2020.10.1
NECST Lab @ Politecnico di Milano
 
PDF
NECSTLab101 2020.2021
NECST Lab @ Politecnico di Milano
 
PDF
TreeHouse, nourish your community
NECST Lab @ Politecnico di Milano
 
PDF
TiReX: Tiled Regular eXpressionsmatching architecture
NECST Lab @ Politecnico di Milano
 
PDF
Embedding based knowledge graph link prediction for drug repurposing
NECST Lab @ Politecnico di Milano
 
PDF
PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...
NECST Lab @ Politecnico di Milano
 
PDF
EMPhASIS - An EMbedded Public Attention Stress Identification System
NECST Lab @ Politecnico di Milano
 
PDF
Luns - Automatic lungs segmentation through neural network
NECST Lab @ Politecnico di Milano
 
PDF
BlastFunction: How to combine Serverless and FPGAs
NECST Lab @ Politecnico di Milano
 
PDF
Maeve - Fast genome analysis leveraging exact string matching
NECST Lab @ Politecnico di Milano
 
Mesticheria Team - WiiReflex
NECST Lab @ Politecnico di Milano
 
Punto e virgola Team - Stressometro
NECST Lab @ Politecnico di Milano
 
BitIt Team - Stay.straight
NECST Lab @ Politecnico di Milano
 
BabYodini Team - Talking Gloves
NECST Lab @ Politecnico di Milano
 
printf("Nome Squadra"); Team - NeoTon
NECST Lab @ Politecnico di Milano
 
BlackBoard Team - Motion Tracking Platform
NECST Lab @ Politecnico di Milano
 
#include<brain.h> Team - HomeBeatHome
NECST Lab @ Politecnico di Milano
 
Flipflops Team - Wave U
NECST Lab @ Politecnico di Milano
 
Bug(atta) Team - Little Brother
NECST Lab @ Politecnico di Milano
 
#NECSTCamp: come partecipare
NECST Lab @ Politecnico di Milano
 
NECSTCamp101@2020.10.1
NECST Lab @ Politecnico di Milano
 
NECSTLab101 2020.2021
NECST Lab @ Politecnico di Milano
 
TreeHouse, nourish your community
NECST Lab @ Politecnico di Milano
 
TiReX: Tiled Regular eXpressionsmatching architecture
NECST Lab @ Politecnico di Milano
 
Embedding based knowledge graph link prediction for drug repurposing
NECST Lab @ Politecnico di Milano
 
PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...
NECST Lab @ Politecnico di Milano
 
EMPhASIS - An EMbedded Public Attention Stress Identification System
NECST Lab @ Politecnico di Milano
 
Luns - Automatic lungs segmentation through neural network
NECST Lab @ Politecnico di Milano
 
BlastFunction: How to combine Serverless and FPGAs
NECST Lab @ Politecnico di Milano
 
Maeve - Fast genome analysis leveraging exact string matching
NECST Lab @ Politecnico di Milano
 

Recently uploaded (20)

PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PDF
Unit I ESSENTIAL OF DIGITAL MARKETING.pdf
Nitin Shelake
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PPTX
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PPT
introduction to datamining and warehousing
ssuser4ab3a2
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
Unit I ESSENTIAL OF DIGITAL MARKETING.pdf
Nitin Shelake
 
Construction Project Organization Group 2.pptx
vj5agdales
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Sustainable Sites - Green Building Construction
mhdumerali
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
introduction to datamining and warehousing
ssuser4ab3a2
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 

Analyzing and Defending from Modern Internet Threats

  • 1. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Analyzing and Defending from Modern Internet Threats Andrea Continella andrea.continella@polimi.it 23-May-2018 @ UC Berkeley
  • 2. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Who we are? ● System Security Research Group ○ 1 Associate Professor ○ 3 Postdoctoral Researchers ○ 3 (almost 4) PhD Students ○ 15+ Master Students ● Research Lines: ○ Malware and Threat Analysis ○ Frauds Analysis and Detection ○ Mobile Security ○ Security of Cyber-physical systems ● Hacking Activities (aka CTF) ○ Tower of Hanoi ~> http://toh.necst.it/ ○ mHACKeroni
  • 4. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella FS Activity Monitor ● Windows Kernel module to monitor and log the file system activity ○ Windows Minifilter Driver ○ Log IRPs (I/O Request Packets) Process Hardware Storage Driver File System Filter Manager I/O Manager Kernel mode User mode
  • 5. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Ransomware vs. Benign Apps Storage Driver File System IRPLogger I/O Manager Kernel mode User mode Benign Ransomware? ? ? Disk drive
  • 6. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Ransomware vs Benign Apps Feature Values Frequency (1) # Folder listing Feature Values Frequency Feature Values Frequency Feature Values Frequency Feature Values Frequency Feature Values Frequency Benign Ransomware (2) # Files Read (3) # Files Written (4) # Files Renamed (5) File Type Coverage (6) Write Entropy
  • 7. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ShieldFS: Healing Approach
  • 8. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ShieldFS: Healing Approach
  • 9. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella File Recovery Workflow Unknown Start
  • 10. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella File Recovery Workflow Monitor & COW on first write Unknown Start
  • 11. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella File Recovery Workflow Monitor & COW on first write Unknown ShieldFS Detector Start
  • 12. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella File Recovery Workflow Monitor & COW on first write Unknown ShieldFS DetectorMalicious Restore original copies Start
  • 13. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella File Recovery Workflow Monitor & COW on first write Unknown ShieldFS DetectorMalicious Restore original copies Benign Clean old copies Start
  • 14. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Detection & Recovery Capabilities ● 1483 unseen samples ○ Locky, TeslaCrypt, CryptoLocker, Critroni, TorrentLocker, CryptoWall, Troldesh, CryptoDefense, PayCrypt, DirtyDecrypt, ZeroLocker, Cerber, WannaCry ● Files protected: always 100% ○ Even in case of missed detection ● Detection rate: 1436/1483, 96.9%
  • 15. Are we safe now?
  • 16. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Limitations of Software-based Detectors Kernel Hardware Detector OS App
  • 17. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Limitations of Software-based Detectors Kernel Hardware Detector OS App
  • 18. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Limitations of Software-based Detectors Kernel Hardware Detector OS App
  • 19. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Limitations of Software-based Detectors
  • 20. Can we move malware detectors toward the hardware level?
  • 21. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Access physical memory with an external device through PCIe Monitoring Physical Memory CPU Root Complex Memory PCIe endpoint PCIe endpoint
  • 22. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Access physical memory with an external device through PCIe Monitoring Physical Memory 4cf8eafbfa631312 10e669b3e98b67f6 82097ae3fe87145c 8c2fd30bf67781d7 b7bade6b459548f0 2828d603887a888a Semantic Reconstruction Raw memory Data Structures ● Live memory forensics - Filling the semantic gap CPU Root Complex Memory PCIe endpoint PCIe endpoint
  • 23. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features
  • 24. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process
  • 25. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process
  • 26. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process
  • 27. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process ● Self-modifying Code: uncompress or decrypt code
  • 28. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process ● Self-modifying Code: uncompress or decrypt code
  • 29. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process ● Self-modifying Code: uncompress or decrypt code
  • 30. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Memory Detection Features ● Code injection: execute malicious code within benign process ● Persistence: rerun across reboots ● Self-modifying Code: uncompress or decrypt code
  • 31. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Experimental Setup PCIe USB Target/Protected Machine (Win 8.1) Physical Memory Reader Malware Detector USB3380
  • 32. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Results Overview Dataset: 2050 samples: ● Arancino dataset ~> 500 samples ● Quincy dataset ~> 73 samples ● VirusTotal ~> 1477 samples
  • 33. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Next? PCIe Target/Protected Machine FPGA-based Detector
  • 35. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Mobile Privacy Leak Detection ● Mobile apps are known to leak private information over the network (e.g., IMEI, Location, Contacts) ● Researchers developed approaches to detect them ○ Static taint analysis ○ Dynamic taint analysis
  • 36. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Mobile Privacy Leak Detection ● Mobile apps are known to leak private information over the network (e.g., IMEI, Location, Contacts) ● Researchers developed approaches to detect them ○ Static taint analysis ○ Dynamic taint analysis ● Recently, network-based detection ○ Leaked values need to flow through the network
  • 38. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Identify privacy leaks in a way that is resilient to obfuscation | encoding | encryption ● Perform black-box differential analysis 1. Establish a baseline of the network behavior 2. Modify sources of private information 3. Detect leaks observing differences in network traffic Our Approach
  • 39. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Identify privacy leaks in a way that is resilient to obfuscation | encoding | encryption ● Perform black-box differential analysis 1. Establish a baseline of the network behavior 2. Modify sources of private information 3. Detect leaks observing differences in network traffic Our Approach APPIMEI: 12345678
  • 40. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Identify privacy leaks in a way that is resilient to obfuscation | encoding | encryption ● Perform black-box differential analysis 1. Establish a baseline of the network behavior 2. Modify sources of private information 3. Detect leaks observing differences in network traffic Our Approach APPIMEI: 12345678 http://host.com/?id=39979edb58
  • 41. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Identify privacy leaks in a way that is resilient to obfuscation | encoding | encryption ● Perform black-box differential analysis 1. Establish a baseline of the network behavior 2. Modify sources of private information 3. Detect leaks observing differences in network traffic Our Approach APPIMEI: 12345678 http://host.com/?id=39979edb58 APPIMEI: 98765432
  • 42. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Identify privacy leaks in a way that is resilient to obfuscation | encoding | encryption ● Perform black-box differential analysis 1. Establish a baseline of the network behavior 2. Modify sources of private information 3. Detect leaks observing differences in network traffic Our Approach APPIMEI: 12345678 http://host.com/?id=39979edb58 APPIMEI: 98765432 http://host.com/?id=bae6a29c9b
  • 43. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● Network traffic is non-deterministic ● The output changes even if you don't change the source ● Cannot pin a change in the output to a specific change in the input Not so easy...
  • 44. We found that non-determinism can be often explained and removed, making differential analysis possible.
  • 45. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism
  • 46. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values
  • 47. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values Timing values
  • 48. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values Timing values Network values
  • 49. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values Timing values Network values System values
  • 50. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values Timing values Network values System values Encryption
  • 51. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Sources of Non-Determinism Random values Timing values Network values System values Encryption Executions
  • 52. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Comparison with Existing Tools Our approach (Agrigento) detected many more apps && we manually verified most of them were true positives!
  • 53. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Case Study: ThreatMetrix https://h.online-metrix.net/fp/clear.png?ja=33303426773f3a39 30643667663b33383831303d343526613f2d363830247a3f363026663d33 3539347a31323838266c603d687c7672253163253066253066616f6e7465 6e762f6a732c746370626f7926636f652466723f6a747670253161273266 253266616d6d2e65616f656b69726b7573267270697867636e617730266a 683d65616437613732316431353c65613a31386e67606563303736363936 34343363266d64643f6561633336303b64336a3935316663303666636137 3261363a61616335636761266d66733f353b32306d383230613230643b65 34643934383a31663636623b32323767616126616d65613d313933333133 3331333131333133312661743d6365656e765f6f6f6a696c6d26617e3f76 72777174666566676e6665722b6d6f606b6c652733632b392e3226342d3b ...
  • 54. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella Case Study: ThreatMetrix 1. IMEI, Location, MAC address ~> HashMap 2. XOR HashMap with a randomly generated key 3. Hex-encode HashMap 4. Send obfuscated HashMap & random key https://h.online-metrix.net/fp/clear.png?ja=33303426773f3a3930643667663b3338 3831303d343526613f2d363830247a3f363026663d333539347a31323838266c603d687c7672 253163253066253066616f6e74656e762f6a732c746370626f7926636f652466723f6a747670 253161273266253266616d6d2e65616f656b69726b7573267270697867636e617730266a683d 65616437613732316431353c65613a31386e6760656330373636393634343363266d64643f65 61633336303b64336a39353166633036666361373261363a61616335636761266d66733f353b 32306d383230613230643b6534643934383a31663636623b32323767616126616d65613d3139 333331333331333131333133312661743d6365656e765f6f6f6a696c6d26617e3f7672777174 666566676e6665722b6d6f606b6c652733632b392e3226342d3b...
  • 55. NGC 2018Analyzing and Defending from Modern Internet Threats Andrea Continella ● We need generic and automated solutions to fight evolving threats ● Ransomware Generic models to identify ransomware Pure detection is not enough ~> Self-healing virtual FS ● OS might be untrusted ~> move detectors toward the hardware level ● Mobile Privacy Leak ○ Non-Determinism in network traffic can be removed ○ Black-box, obfuscation-resilient approach Conclusions