Abstract
Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis, i.e., to automatically categorize exploits or to determine whether an exploit is a variant of an attack from the past, is also very important. In this paper, we present SA3, an exploit code attribution analysis which combines semantic analysis and statistical analysis to automatically categorize a given exploit code. SA3 extracts semantic features from an exploit code through data anomaly analysis, and then attributes the exploit to an appropriate class based on our statistical model derived from a Markov model. We evaluate SA3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. To our knowledge, SA3 is the first work combining semantic analysis with statistical analysis for exploit code attribution analysis.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
CRET: Computer emergency response team, http://www.cret.org/
Securityfocus, http://www.securityfocus.com/
Baecher, P., Koetter, M.: Getting around non-executable stack (and fix), http://libemu.carnivore.it/
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-Based Detection of Non-self-contained Polymorphic Shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)
Bania, P.: Evading network-level emulation, http://packetstormsecurity.org/papers/bypass/
Konrad Rieck, T.K., Dewald, A.: Cujo: Efficient detection and prevention of drive-by-download attacks. In: Proc. of 26th Annual Computer Security Applications Conference, ACSAC (2010)
Wang, K., Cretu, G.F., Stolfo, S.J.: Anomalous Payload-Based Worm Detection and Signature Generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)
Song, Y., Keromytis, A.D., Stolfo, S.J.: Spectrogram: A mixture of Markov chains model for anomaly detection in web traffic. In: Proceedings of the Network and Distributed System Security Symposium (2009)
AV-test, http://www.av-test.org/
Hu, X., Chiueh, T.-C, Shin, K.G.: Large-scale malware indexing using function-call graphs. In: ACM Conference on Computer and Communications Security, pp. 611–620 (2009)
Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 541–551 (2007)
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. In: Technical Report 148. University of Auckland (1997)
Detristan, T., Ulenspiegel, T., Malcom, Y., Superbus, M., Underduk, V.: Polymorphic shellcode engine using spectrum analysis, http://www.phrack.org/show.php?p=61&a=9
Moore, H.: The metasploit project, http://www.metasploit.com
Wang, X., Pan, C.C., Liu, P., Zhu, S.: SigFree: A signature-free buffer overflow attack blocker. In: 15th Usenix Security Symposium (2006)
Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)
Bellman, R.E.: Adaptive Control Processes: A Guided Tour. Princeton University Press (1961)
Meyn, S.P., Tweedie, R.: Markov Chains and Stochastic Stability. Cambridge University Press (2005)
Aldrich, J.: R.A. Fisher and the making of maximum likelihood 1912-1922. Statistical Science 12, 162–176 (1997)
Dempster, A., Laird, N., Rubin, D.: Maximum likelihood from incomplete data via the EM algorithm. Journal of the Royal Statistical Society, 1–38 (1977)
Bertsekas, D.P.: Nonlinear Programming. Athena Scientific, Cambridge (1999)
Macaulay, S.: Admmutate: Polymorphic shellcode engine, http://www.ktwo.ca/security.html
Jemiscode: Jemiscodes - a polymorphic shellcode generator, http://www.shellcode.com.ar/en/proyectos.html
Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: STILL: Exploit code detection via static taint and initialization analyses. In: Proceedings of Annual Computer Security Applications Conference, ACSAC (2008)
Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In: IEEE Symposium on Security and Privacy (2006)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatic signature generation for polymorphic worms. In: IEEE Symposium on Security and Privacy (2005)
Chung, S.P., Mok, A.K.: Advanced Allergy Attacks: Does a Corpus Really Help? In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 236–255. Springer, Heidelberg (2007)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network–Level Polymorphic Shellcode Detection Using Emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)
Gu, B., Bai, X., Yang, Z., Champion, A.C., Xuan, D.: Malicious shellcode detection with virtual memory snapshots. In: INFOCOM, pp. 974–982 (2010)
Christodorescu, M., Kruegel, C., Jha, S.: Mining specifications of malicious behavior. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2007), pp. 5–14. ACM Press, New York (2007)
Preda, M.D., Christodorescu, M., Jha, S., Debray, S.: A semantics-based approach to malware detection. In: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2007), pp. 377–388. ACM Press, New York (2007)
Borders, K., Prakash, A., Zielinski, M.: Spector: Automatically analyzing shell code. In: Proceedings of the 23rd Annual Computer Security Applications Conference, pp. 501–514 (2007)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of Network and Distributed System Security Symposium (2005)
Krugel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection Using Structural Information of Executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)
Pedro, N.D., Domingos, P., Sumit, M., Verma, S.D.: Adversarial classification. In: 10th ACM SIGKDD Conference On Knowledge Discovery and Data Mining, pp. 99–108 (2004)
Kong, D., Jhi, Y.-C., Gong, T., Zhu, S., Liu, P., Xi, H.: SAS: Semantics Aware Signature Generation for Polymorphic Worm Detection. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICST, vol. 50, pp. 1–19. Springer, Heidelberg (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Kong, D., Tian, D., Liu, P., Wu, D. (2012). SA3: Automatic Semantic Aware Attribution Analysis of Remote Exploits. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds) Security and Privacy in Communication Networks. SecureComm 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 96. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31909-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-31909-9_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31908-2
Online ISBN: 978-3-642-31909-9
eBook Packages: Computer ScienceComputer Science (R0)