Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detection of ASCII Malware Parbati Kumar Manna Dr. Sanjay Ranka Dr. Shigang Chen.

Published byPeter Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Detection of ASCII Malware Parbati Kumar Manna Dr. Sanjay Ranka Dr. Shigang Chen."— Presentation transcript:

1 Detection of ASCII Malware Parbati Kumar Manna Dr. Sanjay Ranka Dr. Shigang Chen

2 2 Internet Worm and Malware Huge damage potential  Infects hundreds of thousands of computers  Costs millions of dollars in damage  Melissa, ILOVEYOU, Code Red, Nimda, Slammer, SoBig, MyDoom Mostly uses Buffer Overflow Propagation is automatic (mostly)

3 3 Recent Trends Shift in hacker’s mindset Malware becoming increasingly evasive and obfuscative Emergence of Zero-day worms Arrival of Script Kiddies

4 4 Motivation for ASCII Attacks Prevalence of servers expecting text-only input Text-based protocols Presumption of text being benign Deployment of ASCII filter for bypassing text

5 5 IDS Detecting ASCII Attack? Disassembly-based IDS  All jump instructions are ASCII  Higher proportion of branches  Exponential disassembly cost  High processing overhead for IDS Frequency-based IDS  PAYL evaded by ASCII worm

6 6 Buffer Overflow

7 7 Opcode Unavailability  Shellcode requires binary opcodes  Here only xor, and, sub, cmp etc.  Must generate opcodes dynamically Difficulty in Encryption  No backward jump  Can’t use same decrypter routine for each encrypted block  No one-to-one correspondence between ASCII and binary Constraints of ASCII Malware 0mayvary ASCII binary

8 8 Creation of ASCII Malware

9 9 Buffer Overflow using ASCII Overflowing a buffer using an ASCII string:

10 10 Opcode Unavailability  Dynamic generation of opcodes needs more ASCII instructions for each binary instruction Difficulty in Encryption  No backward jump means decrypter block for each encrypted block must be hardcoded  Long sequence of contiguous valid instructions likely  high MEL Detection of ASCII Malware What is this MEL?

11 11 Indicates maximum length of an execution path  Need to disassemble (and execute) from all possible entry points  All branching must be considered Abstract payload execution  Used for binary worms with sled  Effectiveness dwindled presently Maximum Executable Length

12 12 Benign Text has Low MEL Contains characters that correspond to invalid instructions  Privileged Instruction (I/O)  Arbitrary Segment Selector  More Memory-accessing instructions – may use uninitialized registers  Long sequence of contiguous valid instructions unlikely  low MEL

13 13 Proposed Solution Question: How long is “long”? Find out the maximum length of valid instruction sequence If it is long enough, the stream contains a malware

14 14 Toss a coin n times What is the probability that the max distance between two consecutive heads is ? Probabilistic Analysis Head (H) Invalid Instruction (I) Tail (T) Valid Instruction (v) T H T T H T T T T T H T T TV I V V I V V V V V I V V VT H T T H T T T T T H T T TV I V V I V V V V V I V V V

15 15 Probabilistic Analysis n = number of coin tosses p = probability of a head X i = R.V.s for inter-head distances X max = Max inter-head distance C.D.F of X max = Prob [ X max ≤ x ] = [1 – p(1-p) x ] n F.P. rate  = 1 - Prob [ X max ≤ τ ] = 1 - [1 – p(1-p) τ ] n

16 16 Probabilistic Analysis For a fixed N = k (exactly k invalid instructions)

17 17 Probabilistic Analysis For all possible values of N:

18 18 Threshold Calculation n, p,  (false positive rate)  (max inter-head distance) Known Unknown Threshold

19 19 Independence Assumption  2 test contingency table ObservedExpected I 2 is valid I 2 is invalid I 1 is valid I 2 is invalid I 1 is valid8960279789222835 I 1 is invalid27979382835900 Validity of an instruction is an independent event All the X i ’s are independent (while  X i = n)

20 20 Threshold Calculation With increasing n, we must choose a larger  to keep the same rate of false positive 

21 21 Threshold Calculation With decreasing p, we must choose a larger  to keep the same rate of false positive 

22 22 Determine n E [ I ] = E [ Prefix chain length ] + E [ core instruction length ] Obtained from character frequency of input data

23 23 1.Privileged instructions 2.Wrong Segment Prefix Selector 3.Un-initialized memory access Determine p Invalid Instructions Only 1. and 2. can be determined on a standalone basis

24 24 Experimental Setup

25 25 Implementation

26 26 Experimental Setup Benign data setup  ASCII stream captured from live CISE network using Ethereal Malicious data setup  Existing framework used to generate ASCII worm by converting binary worms Promising experimental results for max valid instruction length  Benign: all max values all below threshold   Malicious: values significantly higher than 

27 27 Experimental Results (DAWN)

28 28 Experimental Results (APE-L)

29 29 Contrasting with APE Full content examination Threshold calculation Sled Vs. malware Exploiting text-specific properties

30 30 Multilevel Encryption Encryption Decryption binary ASCII binary Only Visible decrypter

31 31 Multilevel Encryption Text 0x20 – 0x3F Text 0x40 – 0x5F Text 0x60 – 0x7E     Binary 

32 32 Questions

33 33 Thank you

Download ppt "Detection of ASCII Malware Parbati Kumar Manna Dr. Sanjay Ranka Dr. Shigang Chen."

Similar presentations

LEARNING INFLUENCE PROBABILITIES IN SOCIAL NETWORKS Amit Goyal Francesco Bonchi Laks V. S. Lakshmanan University of British Columbia Yahoo! Research University.

LEARNING INFLUENCE PROBABILITIES IN SOCIAL NETWORKS Amit Goyal Francesco Bonchi Laks V. S. Lakshmanan University of British Columbia Yahoo! Research University.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
Tools for Text Review. Algorithms The heart of computer science Definition: A finite sequence of instructions with the properties that –Each instruction.

Tools for Text Review. Algorithms The heart of computer science Definition: A finite sequence of instructions with the properties that –Each instruction.
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.

Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Privacy-Preserving Cross-Domain Network Reachability Quantification

Privacy-Preserving Cross-Domain Network Reachability Quantification
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Catching Accurate Profiles in Hardware Satish Narayanasamy, Timothy Sherwood, Suleyman Sair, Brad Calder, George Varghese Presented by Jelena Trajkovic.

Catching Accurate Profiles in Hardware Satish Narayanasamy, Timothy Sherwood, Suleyman Sair, Brad Calder, George Varghese Presented by Jelena Trajkovic.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.

A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.
Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.

Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Similar presentations

Ads by Google