New directions in covert malware modeling which exploit white-listing

2007 IEEE Sarnoff Symposium Pub Date : 2007-04-01 DOI:10.1109/SARNOF.2007.4567340

Jisheng Wang, G. Kesidis, David J. Miller

{"title":"New directions in covert malware modeling which exploit white-listing","authors":"Jisheng Wang, G. Kesidis, David J. Miller","doi":"10.1109/SARNOF.2007.4567340","DOIUrl":null,"url":null,"abstract":"Zero-day attacks - especially those that hide the attack exploit by using code obfuscation and encryption - remain a formidable challenge to existing network defenses. Many techniques have been developed that can address known attacks and similar new attacks that may arise in the future. Some methods, like Earlybird and Polygraph, focus on string-based content prevalence in payloads; others focus on the presence of particular I386 instructions, e.g., Sigfree counts the number of ldquousefulrdquo instructions in each request. For both types of systems, a white-listing mechanism, in which some strings or instructions are regarded as innocuous, is necessary to avoid a high false positive rate associated with common content such as URL addresses and peer-to-peer traffic. In this paper, we explore a more sophisticated attack model that not only makes malcode payloads look like nominal ones, but which is also assumed to be both aware of and exploitative of the white-listing itself in forming a Trojan mechanism. In other words, the malware attempts to embed its malcode into the prevalent content that is normally white-listed. If the malcode is encrypted, the attacker will also attempt to obfuscate its plain-text decryption code as much as possible. Both current string-based and instructionbased systems will likely fail to detect such attacks. We propose a comprehensive IDS model in the paper and discuss some potential defensive mechanisms against such attack.","PeriodicalId":293243,"journal":{"name":"2007 IEEE Sarnoff Symposium","volume":"93 13","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE Sarnoff Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SARNOF.2007.4567340","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Zero-day attacks - especially those that hide the attack exploit by using code obfuscation and encryption - remain a formidable challenge to existing network defenses. Many techniques have been developed that can address known attacks and similar new attacks that may arise in the future. Some methods, like Earlybird and Polygraph, focus on string-based content prevalence in payloads; others focus on the presence of particular I386 instructions, e.g., Sigfree counts the number of ldquousefulrdquo instructions in each request. For both types of systems, a white-listing mechanism, in which some strings or instructions are regarded as innocuous, is necessary to avoid a high false positive rate associated with common content such as URL addresses and peer-to-peer traffic. In this paper, we explore a more sophisticated attack model that not only makes malcode payloads look like nominal ones, but which is also assumed to be both aware of and exploitative of the white-listing itself in forming a Trojan mechanism. In other words, the malware attempts to embed its malcode into the prevalent content that is normally white-listed. If the malcode is encrypted, the attacker will also attempt to obfuscate its plain-text decryption code as much as possible. Both current string-based and instructionbased systems will likely fail to detect such attacks. We propose a comprehensive IDS model in the paper and discuss some potential defensive mechanisms against such attack.

查看原文本刊更多论文

利用白名单隐蔽恶意软件建模的新方向

零日攻击——尤其是那些通过代码混淆和加密来隐藏攻击漏洞的攻击——对现有的网络防御仍然是一个巨大的挑战。已经开发了许多技术，可以解决已知的攻击和将来可能出现的类似的新攻击。一些方法，如Earlybird和Polygraph，专注于基于字符串的内容在有效载荷中的流行;另一些则关注特定I386指令的存在，例如，Sigfree计算每个请求中ldquousefuldquo指令的数量。对于这两种类型的系统，需要一种白名单机制，其中一些字符串或指令被认为是无害的，以避免与常见内容(如URL地址和点对点流量)相关的高误报率。在本文中，我们探索了一种更复杂的攻击模型，该模型不仅使恶意代码有效载荷看起来像名义上的，而且还假设它在形成木马机制时既知道并利用白名单本身。换句话说，恶意软件试图将其恶意代码嵌入通常被列入白名单的流行内容中。如果恶意代码是加密的，攻击者也会试图尽可能地混淆其明文解密代码。当前基于字符串和基于指令的系统都可能无法检测到此类攻击。本文提出了一个综合的入侵检测模型，并讨论了针对此类攻击的一些潜在防御机制。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2007 IEEE Sarnoff Symposium

自引率

0.00%

发文量