SA3: Automatic Semantic Aware Attribution Analysis of Remote Exploits

Kong, Deguang; Tian, Donghai; Liu, Peng; Wu, Dinghao

doi:10.1007/978-3-642-31909-9_11

Cited by 6 publications

(10 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We performed the same testing procedure mentioned in the previous section to test the accuracy of our model for 2, ..., 13 shellcode classes. Our model can achieve 100% classification accuracy for up to 6 shellcode engines and 95.0% classification accuracy for 11 classes, which is higher than previous efforts [16]. Note that, compared with [16] in which a specific model is built for each shellcode class, our approach only use one model to classify instances from all kinds of classes, hence does not need different parameter settings for each model.…”

Section: ) the Hardness Of Multi-class Attributingmentioning

confidence: 90%

“…Even though some payloads are not compatible with specific encoders, we successfully collected 13,176 encoded shellcode samples for attribution analysis. Compared with existing research bodies in both shellcode detection and attribution [7], [30], [26], [29], [16], our shellcode dataset covers a more comprehensive set of samples in term of underlying platform, payload functionality, and encoder class.…”

Section: A Data Collection and Implementationmentioning

confidence: 99%

“…However, their solutions were vulnerable to byte cramming [12] and polymorphic blending attacks [13]. Recently, Kong et al [16] proposed to take advantage of semantic analysis and sequential models on n-gram data bytes to analyze the attribution of exploits. Wartell et al [31] developed machine learning-based algorithms to differentiate code from data.…”

Section: Related Workmentioning

confidence: 99%

“…Encoded shellcode attribution that tells whether the newly-captured shellcode sample is generated by a known shellcode engine provides security analysts and practitioners with more intelligence about the attack event and the adversaries behind the scene than simplistic detection approaches. However, existing work on this topic [16] that utilize byte characteristics still face the same challenges as binary code detection with byte anomaly analysis does.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Using instruction sequence abstraction for shellcode detection and attribution

Zhao

Ahn

2013

2013 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

Abstract-Although several research teams have focused on binary code injection, it is still an unsolved problem. Misuse-based detection lacks the flexibility to tackle unseen malicious code samples and anomaly-based detection on byte patterns is highly vulnerable to byte cramming and blending attacks. In addition, it is desperately needed to correlate newly-detected code injection instances with known samples for better understanding the attack events and tactically mitigating future threats. In this paper, we propose a technique for modeling shellcode detection and attribution through a novel feature extraction method, called instruction sequence abstraction, that extracts coarse-grained features from an instruction sequence. Our technique facilitates a Markovchain-based model for shellcode detection and support vector machines for encoded shellcode attribution. We also describe our experimental results on shellcode samples to demonstrate the effectiveness of our approach.

show abstract

Section: ) the Hardness Of Multi-class Attributingmentioning

confidence: 90%

Section: A Data Collection and Implementationmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Using instruction sequence abstraction for shellcode detection and attribution

Zhao

Ahn

2013

2013 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

show abstract

“…A few other efforts (e.g., [7,14,10,1,12,13]) also considered using the structure information in malware programs. For instance, Hu et al used FCGs extracted from malware programs for fast indexing, which aims to find the nearest neighbors of a new malware sample [7], and Kruegel et al formulated the problem of polymorphic worm detection as coloring of control flow graphs [14].…”

Section: Related Workmentioning

confidence: 99%

Discriminant malware distance learning on structural information for automated malware classification

Kong

Yan

2013

Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining

Self Cite

143

View full text Add to dashboard Cite

The voluminous malware variants that appear in the Internet have posed severe threats to its security. In this work, we explore techniques that can automatically classify malware variants into their corresponding families. We present a generic framework that extracts structural information from malware programs as attributed function call graphs, in which rich malware features are encoded as attributes at the function level. Our framework further learns discriminant malware distance metrics that evaluate the similarity between the attributed function call graphs of two malware programs. To combine various types of malware attributes, our method adaptively learns the confidence level associated with the classification capability of each attribute type and then adopts an ensemble of classifiers for automated malware classification. We evaluate our approach with a number of Windows-based malware instances belonging to 11 families, and experimental results show that our automated malware classification method is able to achieve high classification accuracy.

show abstract

Semantic aware attribution analysis of remote exploits

Kong

Tian

Pan

et al. 2012

Security Comm Networks

Self Cite

View full text Add to dashboard Cite

Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis (i.e., to automatically categorize exploits or determine whether an exploit is a variant of an attack from the past) is also very important. In this paper, we present SA3, a novel exploit code attribution analysis that combines semantics‐based analysis and statistical modeling to automatically categorize given exploit code. SA3 extracts semantic features from exploit code through data anomaly analysis and then attributes the exploit to an appropriate class on the basis of our statistical model derived from a Markov model. We evaluate SA3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. The novelty of SA3 is that it combines semantic analysis with statistical modeling for exploit code attribution analysis. Copyright © 2012 John Wiley & Sons, Ltd.

show abstract

SA3: Automatic Semantic Aware Attribution Analysis of Remote Exploits

Cited by 6 publications

References 25 publications

Using instruction sequence abstraction for shellcode detection and attribution

Using instruction sequence abstraction for shellcode detection and attribution

Discriminant malware distance learning on structural information for automated malware classification

Semantic aware attribution analysis of remote exploits

Contact Info

Product

Resources

About