SlideShare a Scribd company logo

Behavioral malware detection in delay tolerant network

Download as PPTX, PDF
B
Bittu Roy

This document proposes a system for detecting behavioral malware in delay tolerant networks. It presents a general behavioral characterization of proximity malware based on a naive Bayesian model. This model has been successfully used to detect malware in non-DTN settings. The system addresses challenges in extending this model to DTNs, including having insufficient evidence due to limited node contact and the risk of collecting evidence from infected nodes. It proposes techniques like look-ahead and adaptive look-ahead to balance these risks.

1 of 17
Behavioral Malware Detection in Delay Tolerant Networks GUIDE: SHEIKH MOHAMMAD PRESENTED BY MANISH ABHISHEK DAYAL SHANKAR ROY SURESH JATOTH K.PHANINDRA
INDEX  ABSTRACT  INTRODUCTION  OBJECTIVE  PROPOSED SYSTEM  EXISTING SYSTEM  ADVANTAGES  DISADVANTAGES  MODULES  FUTURE EXTENSION  CONCLUSION
ABSTRACT  The delay-tolerant-network (DTN) model is becoming a viable communication alternative to the traditional infrastructural model for modern mobile consumer electronics equipped with short-range communication technologies such as Bluetooth, NFC, and Wi-Fi Direct.  Behavioral characterization of malware is an effective alternative to pattern matching in detecting malware, especially when dealing with polymorphic or obfuscated malware.  In this paper, we first propose a general behavioral characterization of proximity malware which based on Naive Bayesian model, which has been successfully applied in non- DTN settings such as filtering email spam and detecting botnets.
 The widespread adoption of these devices, coupled with strong economic incentives, induces a class of malware that specifically targets DTNs. We call this class of malware proximity malware.  An early example of proximity malware is the Symbian-based Cabir worm, which propagated as a Symbian Software Installation Script (.sis) package  A later example is the iOS-based Ikee worm, which exploited the default SSH password on Iphones to propagate through IP-based Wi-Fi connections.
 To introduce a proposal for inter-region routing based on both probabilistic and deterministic forwarding mechanisms, embedded in an architectural frame- work able to support it.  To present a general behavioral characterization of proximity malware, which captures the functional but imperfect nature in detecting proximity malware.  We analyze the risk associated with the decision, and design a simple look-ahead which naturally reflects individual nodes’ intrinsic risk inclinations against malware infection.
 Delay tolerant networks focused on problem of delivery of messages inside a single region characterized by the same network infrastructure and namespace. Many deployment scenarios will probably involve routing among different regions composed of several heterogeneous types of network domains such as satellite.  In DTNs, evidence such as BT is collected only when nodes come into contact. But contacting malware-infected nodes carries the risk of being infected. Thus, nodes must make decisions online based on potentially insufficient evidence.  Sharing evidence among opportunistic acquaintances helps alleviating the aforementioned insufficient evidence problem; however, false evidence shared by malicious nodes may negate the benefits of sharing.
 We introduce a proposal for inter-region routing based on both probabilistic and deterministic forwarding mechanisms, embedded in an architectural frame work able to support it.  We present a general behavioral characterization of proximity malware, which captures the functional but Imperfect nature in detecting proximity malware.  Analyze the risk associated with the decision, and design a simple, yet effective, strategy, look-ahead, which naturally reflects individual nodes’ intrinsic risk inclinations against malware infection. Look-ahead extends Naive Bayesian model, and addresses the DTN-specific, malware-related, “insufficient evidence vs. evidence collection risk.”
 In this paper, we consider a general behavioral characterization of proximity malware. Behavioral characterization, in terms of system call and program flow, has been previously proposed as an effective alternative to pattern matching for malware detection.  In our model, malware-infected nodes’ behaviors are observed by others during their multiple opportunistic encounters: Individual observations may be imperfect, but abnormal behaviors of infected nodes are identifiable in the long-run.
 We present an adaptive end-host anomaly detector where a supervised classifier trained as a traffic predictor is used to control a time-varying detection threshold. Using real enterprise traffic traces for both training and testing, we show that our detector outperforms a fixed-threshold detector.  This comparison is robust to the choice of off-the shelf classifier and to a variety of performance criteria, i.e., the predictor’s error rate, the reduction in the “threshold gap,” and the ability to detect incremental worm traffic that is added to real life traces.  Our adaptive-threshold detector is intended as a part of a distributed worm detection system. This distributed system infers system-wide threats from end-host detections, thereby avoiding the sensing and resource limitations of conventional centralized systems. The system places a constraint on this end-host detector to appear consistent over time and host variability.
1. Store and forward message switching 2. Delay-tolerant networking 3. Gateway 4. Routing
 Hold data until it has a scheduled transfer in network storage. Suppose not view the message means delivery status is not received otherwise receives status.
 A Delay-Tolerant Network (DTN) is a general-purpose overlay network that operates on top of varying regional networks, including the Internet.  DTNs allow regional networks with varying delay characteristics to interoperate by providing mechanisms to translate between their respective network parameters.
 Gateway is designed to forward bundles between two or more DTN region networks and may optionally act as a host.  The bundle overlay of gateways must have persistent storage and allow custody transfers. Gateways link together networks that operate on different lower-layer protocols.
 Router works within a single DTN region and is responsible for forwarding bundles. Such user requires persistent storage to queue and keep bundles until outbound
 We define communities that are visited often by the nodes to capture skewed location visiting preferences, and use time periods with different mobility parameters to create periodical re-appearance of nodes at the same location.  We have clearly observed these two properties based on analysis of empirical WLAN traces.  We derive analytical expressions to highlight the impact on the hitting time and meeting times if these mobility characteristics are incorporated.  These quantities in turn determine the packet delivery delay in mobility-assisted routing settings.
 Behavioral characterization of malware is an effective alternative to pattern matching in detecting malware, especially when dealing with polymorphic or obfuscated malware.  Naive Bayesian model has been successfully applied in non-DTN settings, such as filtering email spams and detecting bonnets.  We propose a general behavioral characterization of DTN- based proximity malware. We present look-ahead, along with dogmatic filtering and adaptive look-ahead, to address two unique challenging in extending Bayesian filtering to DTNs: “insufficient evidence vs. evidence collection risk” and “filtering false evidence sequentially and distributed”.
Thank You

More Related Content

Behavioral malware detection in delay tolerant network

  • 1. Behavioral Malware Detection in Delay Tolerant Networks GUIDE: SHEIKH MOHAMMAD PRESENTED BY MANISH ABHISHEK DAYAL SHANKAR ROY SURESH JATOTH K.PHANINDRA
  • 2. INDEX  ABSTRACT  INTRODUCTION  OBJECTIVE  PROPOSED SYSTEM  EXISTING SYSTEM  ADVANTAGES  DISADVANTAGES  MODULES  FUTURE EXTENSION  CONCLUSION
  • 3. ABSTRACT  The delay-tolerant-network (DTN) model is becoming a viable communication alternative to the traditional infrastructural model for modern mobile consumer electronics equipped with short-range communication technologies such as Bluetooth, NFC, and Wi-Fi Direct.  Behavioral characterization of malware is an effective alternative to pattern matching in detecting malware, especially when dealing with polymorphic or obfuscated malware.  In this paper, we first propose a general behavioral characterization of proximity malware which based on Naive Bayesian model, which has been successfully applied in non- DTN settings such as filtering email spam and detecting botnets.
  • 4.  The widespread adoption of these devices, coupled with strong economic incentives, induces a class of malware that specifically targets DTNs. We call this class of malware proximity malware.  An early example of proximity malware is the Symbian-based Cabir worm, which propagated as a Symbian Software Installation Script (.sis) package  A later example is the iOS-based Ikee worm, which exploited the default SSH password on Iphones to propagate through IP-based Wi-Fi connections.
  • 5.  To introduce a proposal for inter-region routing based on both probabilistic and deterministic forwarding mechanisms, embedded in an architectural frame- work able to support it.  To present a general behavioral characterization of proximity malware, which captures the functional but imperfect nature in detecting proximity malware.  We analyze the risk associated with the decision, and design a simple look-ahead which naturally reflects individual nodes’ intrinsic risk inclinations against malware infection.
  • 6.  Delay tolerant networks focused on problem of delivery of messages inside a single region characterized by the same network infrastructure and namespace. Many deployment scenarios will probably involve routing among different regions composed of several heterogeneous types of network domains such as satellite.  In DTNs, evidence such as BT is collected only when nodes come into contact. But contacting malware-infected nodes carries the risk of being infected. Thus, nodes must make decisions online based on potentially insufficient evidence.  Sharing evidence among opportunistic acquaintances helps alleviating the aforementioned insufficient evidence problem; however, false evidence shared by malicious nodes may negate the benefits of sharing.
  • 7.  We introduce a proposal for inter-region routing based on both probabilistic and deterministic forwarding mechanisms, embedded in an architectural frame work able to support it.  We present a general behavioral characterization of proximity malware, which captures the functional but Imperfect nature in detecting proximity malware.  Analyze the risk associated with the decision, and design a simple, yet effective, strategy, look-ahead, which naturally reflects individual nodes’ intrinsic risk inclinations against malware infection. Look-ahead extends Naive Bayesian model, and addresses the DTN-specific, malware-related, “insufficient evidence vs. evidence collection risk.”
  • 8.  In this paper, we consider a general behavioral characterization of proximity malware. Behavioral characterization, in terms of system call and program flow, has been previously proposed as an effective alternative to pattern matching for malware detection.  In our model, malware-infected nodes’ behaviors are observed by others during their multiple opportunistic encounters: Individual observations may be imperfect, but abnormal behaviors of infected nodes are identifiable in the long-run.
  • 9.  We present an adaptive end-host anomaly detector where a supervised classifier trained as a traffic predictor is used to control a time-varying detection threshold. Using real enterprise traffic traces for both training and testing, we show that our detector outperforms a fixed-threshold detector.  This comparison is robust to the choice of off-the shelf classifier and to a variety of performance criteria, i.e., the predictor’s error rate, the reduction in the “threshold gap,” and the ability to detect incremental worm traffic that is added to real life traces.  Our adaptive-threshold detector is intended as a part of a distributed worm detection system. This distributed system infers system-wide threats from end-host detections, thereby avoiding the sensing and resource limitations of conventional centralized systems. The system places a constraint on this end-host detector to appear consistent over time and host variability.
  • 10. 1. Store and forward message switching 2. Delay-tolerant networking 3. Gateway 4. Routing
  • 11.  Hold data until it has a scheduled transfer in network storage. Suppose not view the message means delivery status is not received otherwise receives status.
  • 12.  A Delay-Tolerant Network (DTN) is a general-purpose overlay network that operates on top of varying regional networks, including the Internet.  DTNs allow regional networks with varying delay characteristics to interoperate by providing mechanisms to translate between their respective network parameters.
  • 13.  Gateway is designed to forward bundles between two or more DTN region networks and may optionally act as a host.  The bundle overlay of gateways must have persistent storage and allow custody transfers. Gateways link together networks that operate on different lower-layer protocols.
  • 14.  Router works within a single DTN region and is responsible for forwarding bundles. Such user requires persistent storage to queue and keep bundles until outbound
  • 15.  We define communities that are visited often by the nodes to capture skewed location visiting preferences, and use time periods with different mobility parameters to create periodical re-appearance of nodes at the same location.  We have clearly observed these two properties based on analysis of empirical WLAN traces.  We derive analytical expressions to highlight the impact on the hitting time and meeting times if these mobility characteristics are incorporated.  These quantities in turn determine the packet delivery delay in mobility-assisted routing settings.
  • 16.  Behavioral characterization of malware is an effective alternative to pattern matching in detecting malware, especially when dealing with polymorphic or obfuscated malware.  Naive Bayesian model has been successfully applied in non-DTN settings, such as filtering email spams and detecting bonnets.  We propose a general behavioral characterization of DTN- based proximity malware. We present look-ahead, along with dogmatic filtering and adaptive look-ahead, to address two unique challenging in extending Bayesian filtering to DTNs: “insufficient evidence vs. evidence collection risk” and “filtering false evidence sequentially and distributed”.