Trendmicro Security Award 2012 Final Presentation

63 %
38 %
Information about Trendmicro Security Award 2012 Final Presentation
Technology

Published on September 24, 2012

Author: hiromu1996

Source: slideshare.net

Description

Lectured at Trendmicro Security Award 2012 Final Round

The new malware detection system with SEAndroidHiromu Yakura <hiromu1996@gmail.com>

Self-Introduction• Hiromu Yakura• 15 yo.• Twitter: @hiromu1996

Self-Introduction• Japanese national certified security specialist • Youngest Record• competitive programmer • Asia and Pacific Informatics Olympiad • won a bronze medal

Self-Introduction• Linux Kernel Developer • Accepted some patches• Android Developer • Lectured about Android security • “What is SEAndroid?” • at Tokyo University

Background• An alarming increase in Android malware McAfee Threats Report: First Quarter 2012

Background• An alarming increase in Android malware Big threat McAfee Threats Report: First Quarter 2012

Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より

Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より

Background• Percentage of detected malware types F-Secure Mobile Threat Report 2012 Q1より

DroidKungFu• This application contains exploit code • CVE-2009-1185 • Linux kernel vulnerability • CVE-2010-EASY • Android vulnerability

DroidKungFu• After gain root access • Install other malware • without user permit • user can’t delete malware

Security Application• Usual Android security application • Can’t detect root access • Can’t remove DroidKungFu• Because of Android Sandbox

Security Application• All of them adopt signature-based system • Can’t detect Zero-day Attack • Can’t detect encrypted files

The new system• I propose a new system • Defend from Zero-day Attack • Defend from root exploit

The new system• System OverviewApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

The new system• This system use SEAndroid and JubatusApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

The new system• This system use Jubatus and SEAndroid • Jubatus is distributed learning system • SEAndroid is LSM(Linux Security Module)

Jubatus• Distributed processing framework• Streaming machine learning library • More excellent in real-time, distribution • than MapReduce, Hadoop

SEAndroid• SEAndroid • One of the popular LSM • Android version of SELinux • Developed by NSA

SEAndroid• Mandatory Access Control• Least privileges• Audit log

The new system• How to workApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

The new system• When application send commandsApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

The new system• Judge whether command is valid with policyApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

The new system• If SEAndroid judges the command is validApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

The new system• If SEAndroid judges the command is invalidApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

The new system• The command is record in Audit logApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

The new system• System send log to JubatusApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

The new system• Jubatus judges the application isn’t malware WhitelistedApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

The new system• Jubatus judges the application is malwareApplication Policy SEAndroid Jubatus LogLinux Kernel Android Server

~Demo~

Features• Behavioral detection system • Defend from Zero-day Attack • Any of existing product can’t defend

Features• Use SEAndroid(Linux Security Module) • Enable root access detection • Logging only security incident • Higher precision and Lighter • than syscall hooking

Features• Real-time machine learning • Study from user feedback • Become higher precision steadily • Jubatus is best suitable for this system

Issue• This system depends on SEAndroid • SEAndroid is built-in system of kernel • Vendors must install SEAndroid• No device support SEAndroid on the market

Solution• This system can use other LSM • With only changing log parser• There are devices supporting TOMOYO Linux • TOMOYO Linux is LSM • The devices are made by Fujitsu

Solution• Work on some of commercial devices• In several years, All device support LSM • Because LSM is essential for Android

Lastly• I want to • Improve Android security system • Decrease damage of Android malware

Thank you for listening

Add a comment

Related presentations

Related pages

Security Award 2012 - Trend Micro

Security Award 2012 ... (Tokyo) and Final Selection (Taiwan), regardless of citizenship. ... http://www.trendmicro.co.jp/award2012
Read more

FY2012 Q3 Business Update - Trend Micro Internet Security

Confidential | Copyright 2012 TrendMicro Inc. 2 ... Service Deep Discovery Deep Security Confidential | Copyright 2012 TrendMicro Inc. 2
Read more

Next Generation Trend Micro - Trend Micro Internet Security

IDC Worldwide Endpoint Security 2013-2017 Forecast and 2012 ... Trend Micro™ Enterprise Security for Endpoints Receives est uy Award and ... Security ...
Read more

Hiromu Yakura (hiromu1996)

Best Student Research Award and Best Presentation Award. ... Trendmicro Security Award 2012 Final Round 2012 ... Japan Society of Security Management 2012 ...
Read more

Internet trend crossword clue dm trend: Trend Micro ...

Selection of software according to "Internet trend crossword clue dm ... Internet Security 2012. ... backgrounds to enhance the puzzle presentation and ...
Read more

Presentation - CominLabs

... during the 2010 to 2012 period (source TrendMicro). ... final visible result of this ... be necessary but a security policy adapted to ...
Read more

ICTAssignment_Virus - scribd.com

Ict form 4 assignment - presentation slide. Upload Sign in Join. Books Audiobooks Comics Sheet Music. ... award-winners & more. Top Comics. What's trending ...
Read more