Contract No.: 285248 Strategic Objective


FIWARE OpenSpecification Security Optional_Security_Enablers MalwareDetectionService



Download 1.78 Mb.
Page48/54
Date28.01.2017
Size1.78 Mb.
#8871
1   ...   44   45   46   47   48   49   50   51   ...   54

25FIWARE OpenSpecification Security Optional_Security_Enablers MalwareDetectionService


Name

FIWARE.OpenSpecification.Security.Optional Security Enablers.MalwareDetectionService

Chapter

Security,







Catalogue-Link to Implementation

Morphus

Owner

Inria, Jean-Yves Marion


25.1Preface


Within this document you find a self-contained open specification of a FI-WARE generic enabler, please consult as well the FI-WARE_Product_Vision, the website on http://www.fi-ware.eu and similar pages in order to understand the complete context of the FI-WARE project.

25.2Copyright


  • Copyright © 2012-2014 by Inria

25.3Legal Notice


Please check the following Legal Notice to understand the rights to use these specifications.

25.4Overview


Malware are programs designed to have an unwanted behavior seen from the legitimate user's side. They may be used to disrupt services, organise data leaks, or give access to some non-authorized security levels on a system. Malware are a very common threat, more than 70 million of such programs are known (cf. McAfee's report [1]). Furthermore, malware use some more and more sophisticated techniques thus complicating their detection. A virus such as Duqu has been revealed only six month after its deployment (see Symantec's report on Duqu [2]).

One of the main issues in malware detection is that there is no way to characterise definitely a program by its behaviour, neither syntactically nor semantically. A malware may hide its code by means of many techniques such as encryption, self-rewriting, and so on.

"Morphus" is a software capable of extracting (partly) a morphological signature from binary code, that corresponds to the behavior of malware. Doing so, it may by-pass some standard encryption techniques. The software can be used within many scenarios. The main GE offers an access to "Morphus" through a web service.

25.4.1Target Usage


The malware detection service GE provides a mechanism for determining if the submitted executable binary file is sane or infected by a malware. Depending on yours needs, the service can answer SANE/INFECTED or by a distance vector to the malware database. The second option, distance vector, offers a finer analysis of suspicious cases by indicating the composition of the infected binary (shows the percentage of components from others malware).

25.4.2Use Case


This is a typical scenario: the user has a suspicious binary file F whom he would like to estimate how dangerous it is. He sends a copy to "Morphus" which provides a distance vector to known malware. The report describes which malware occur in F and provides for each malware M an estimate of the level of the infection of F by M, that is a distance between the signature of F and the signature M. Morphus provides two options of analysis, static or dynamic. A static analysis is fast but not very precise, a dynamic analysis is finer but less efficient because binary must be executed in a monitored environment.

25.5Basic Concepts


Morphus reads input binary files and extracts from them signatures. Signatures are composed of sites, that is, abstract descriptions of the behaviour of the input program. For instance, one of the sites could correspond to the initialisation of an RSA-encrypted channel. Binary files are then matched against malware sites. The signatures depend on some selectable options such as dynamic/static analysis, or security thresholds. The system provides currently only the static/dynamic choice. The other options are left for further releases. Morphus takes into account a white list database, that is, a list of known and safe signatures. Generally speaking, it contains signatures from basic operating system services.

Three consumers can be implemented from the delivered WSDL file:



  • scan client returns SANE/INFECTED string or an error message when service can not extract a morphological graph (e.g. GRAPH_TOO_SMALL string, TIMEOUT string),

  • distance client returns a distance matrix to a malware database. This distance evaluation indicates the distance of the input sample with respect to the malware of the database,

  • malware list consulting client returns the list of all malware names that can be detected by the service.

A selectable option can be set for determining how the binary must be analysed (e.g. when response of first static analysis is GRAPH_TOO_SMALL, you can select dynamic mode and submit the binary file once more) .

25.5.1Example Scenario


In an information system, it very important to control that all executable binary files incoming from external sources are not infected by a malware. For instance, suppose that you have a mail gateway in your company for which you should decide which joint files can be delivered. In that case, it is possible to submit all executable binaries to the Malware Detection Service and take it as a filtering process.

25.6Main Interactions


The Morphus software is available either as a web-service or through a direct connection to the website.

Description


End-user applications send requests in order to submit a binary file for evaluation to determine if it is sane or infected. Additionally, it is possible to list all recognized malware contained in the database.

Operations

Scan a binary file

Given a submitted binary files, this action make it scanned by Morphus. It answers by either INFECTED for an infected binary file, or by SANE otherwise. When a binary file is submitted for analysis, the MODE option can be selected as either static or dynamic.
Direct submission through a browser

  • Once authenticated, a normal user can submit a binary file by filling a form (local binary path, scan action, mode between static and dynamic). The result is directly displayed in the browser.
Sequence diagram: binary scan from browser

file:morphusseqdiagscanbrowser.gif
Web Services client application

  • The client application submits a binary file through the scan web service and waits until Morphus returns the distance vector result.
Sequence diagram: binary scan from web service application client

file:morphusseqdiagscanapp.gif
Distance of a binary file

For this action, the user submits a binary file to the scanner as above, but in this case, Morphus will reply with the distance vector between the malware of the database and the submitted file.

The string format is DIST: "Submitted binary name"|percent (binary detected sites/malware sites), percent (binary detected sites/database sites): detected malware name| another distance vector |...

Example: DIST:"Backdoor.Win32.Hupigon.bhes.exe"|7.53% (125/1660), 14.63% (125/854): "HLLC.Asive"|15.12% (251/1660), 41.97% (251/598): "AutoRun.tl"|23.1% (382/1660), 90.30% (382/423): "KillApp.y"|

where


  • "Backdoor.Win32.Hupigon.bhes.exe" is the submitted binary file

  • 7.53% (125/1660) is the distance to the database

  • 14.63% (125/854) is the distance to the malware

  • "HLLC.Asive" is some detected malware name


Direct submission through a browser

  • Once authenticated, a normal user can submit a binary file by filling a form (local binary path, distance action, mode between static and dynamic). The result is directly displayed in the browser.
Sequence diagram: binary distance evaluation from browser

file:morphusseqdiagdistbrowser.gif
Web Services client application

  • The client application submits a binary file through the distance web service and waits until Morphus returns a distance vector result.

String format is DIST:"Submitted binary name"|percent (binary detected sites/database sites), percent (binary detected sites/malware sites): detected malware name| another distance vector |...
Sequence diagram: binary distance evaluation from web service application client

file:morphusseqdiagdistapp.gif
List malware database

This action provides a listing of malware's name in the database.

Example of result: 1337Crypter.a|2005.or|ACVE.am|ACVE.az|AF.20|AFtp.10|AIMJaker.10|AInfBot.co|AInfBot.cq|AInfBot.o|...


Sequence diagram: consult malwares list from browser

file:morphusseqdiaglistbrowser.gif

25.6.1Architecture


Malware Detection System architecture specification file:morphusarchitecture.gif

  • Malware Detection Service is based on Application Server and Enterprise Service Bus from WSO2 enterprise middleware corporation http://wso2.com for transporting binary file into the High Security Lab.

  • The morphological detection engine technology (Morphus) is developed by INRIA.

Download 1.78 Mb.

Share with your friends:
1   ...   44   45   46   47   48   49   50   51   ...   54



The database is protected by copyright ©ininet.org 2024
send message
    Main page
current version
following resources
applications that
security architecture