Dernière édition Attention: Le pdf pèse environ 17 - BFH-TI - Berner ...

Master of Science in EngineeringBIBEBUVAAutomated Malware Infection Signature GenerationInformation & Communication Technologies, IT-Security / Thesis Advisor: Prof. Dr. Endre BangerterExpert: Dr. Andreas GreulichProject partner: Non-DisclosedMalicious software, commonly known as malware, has become a serious threat to the security of computersystems. While current anti-virus detection and defense solutions are important and useful, theyremain, loosely speaking, not effective enough. Companies and organizations are often confronted withthe problem of assessing the extent of infections by new malware. In this thesis, we have built a system forthe automated generation of malware infection signatures with the objective to detect infected computers,which enables custom malware detections in organizations.Problem StatementA particular problem for companiesand organizations is to assess theextent of malware infections. Thus,how many and which computersystems are infected, once a pieceof malware has been identified. Notonly is this important for remediatingthe systems, but as well for preventingthe proliferation of the malwaremore effectively, and to assesswhat information might has beenleaked from infected computers.An obvious approach to this problemwould be to perform an organizationwide scan using an anti-virusproduct. Yet, this only works formalware that is known to the respectiveanti-virus vendor. This isparticularly not the case for targetedmalware attacks, where the malwaresample is usually unknown.Another approach to solve theproblem is that the affected organizationcould submit the sample toits anti-virus vendor to obtain a detectionsignature. However, anti-virusvendors in general do not providesuch a service for customizedsignatures. Furthermore, the organizationunder attack might not wantto share the sample with third partiesfor confidentiality reasons.GoalThe goal of this thesis was to remedythis situation enabling companiesand organizations to performcustom malware detection of infectedcomputer systems. Moreprecisely, the objective was to developan automated custom infectionsignature generator that takesan arbitrary sample which is knownto be malware as input and outputsa detection signature for the infection.The signature is then fed intoa detection component that performsthe malware detection on apotentially infected host.SolutionWe have developed a system thatgenerates an infection signature fora given arbitrary malware sample.This is performed by first executingthe sample in a virtual machinewhere it is monitored. The monitoringresults are then analyzed by aheuristic algorithm that we have developedin order to identify and extractmalicious memory regions.These are regions of the malwarethat exist in memory due to its infec -tion. Finally, byte string candidatesidentifying the malware are createdout of these regions, and thensound candidates with respect tofalse positives and negatives areselected. For the selection, we haveadopted a machine-learning approachproposed by Hancock (Griffinet al.), which is based on a benignsoftware model. We have aswell developed a detector that appliesthe infection signature in orderto detect infected systems.Jonathan Weythesis@trycatch.chHigh-level view of the infection signature generation and detection.ResultsThe effectivity of our system hasbeen evaluated in an environmentthat simulates an organization asrealistically as possible. We haveconducted a large-scale measurementon a mass malware set. Theobtained results suggest that thedetection of infected systems withthe generated infection signatures issound in terms of the false positiveand negative rate, and as well forinfections by variants of the malware.ti.bfh.ch35