dawn a novel strategy for detecting ascii worms in networks
Download
Skip this Video
Download Presentation
DAWN: A Novel Strategy for Detecting ASCII Worms in Networks

Loading in 2 Seconds...

play fullscreen
1 / 28

DAWN: A Novel Strategy for Detecting ASCII Worms in Networks - PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on

DAWN: A Novel Strategy for Detecting ASCII Worms in Networks. Parbati Kumar Manna Sanjay Ranka Shigang Chen Department of Computer and Information Science and Engineering, University of Florida IEEE INFOCOM 08. Outline. Introduction ASCII Worm Detection Strategies Probabilistic Analysis

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' DAWN: A Novel Strategy for Detecting ASCII Worms in Networks' - leo-shannon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
dawn a novel strategy for detecting ascii worms in networks

DAWN: A Novel Strategy for Detecting ASCII Worms in Networks

Parbati Kumar Manna

Sanjay Ranka

Shigang Chen

Department of Computer and Information Science and Engineering, University of Florida

IEEE INFOCOM 08

outline
Outline
  • Introduction
  • ASCII Worm
  • Detection Strategies
  • Probabilistic Analysis
  • Implementation
  • Evaluation
  • Conclusions
introduction
Introduction
  • Almost any ASCII string translates into a syntactically correct sequence of instructions
  • The proportion of branch instructions for ASCII data is significantly higher than that of binary data
  • Prune the number of path to be inspected
ascii worm
ASCII Worm
  • ASCII data: 0x20 ~ 0x7E
  • Maximal valid instruction sequence
    • LMVI: Length of Maximal Valid Instruction sequenece
ascii worm1
ASCII Worm
  • Intel opcodes in ASCII
    • Dual-operand register/memory manipulation
      • sub, xor, inc, imul
    • Single-operand register manipulation
      • inc, dec
    • Stack-manipulation
      • push, pop, popa
    • Jump
      • jo, jno, jb, jae, je, jne, jbe, ja, js, jns, jp, jnp, jnge, jnl, jng
ascii worm2
ASCII Worm
    • I/O operation
      • insb, insd, outsb, outsd
    • Miscellaneous
      • aaa, daa, das, bound, arpl
    • Operand and Segment override prefixes
      • cs, ds, es, fs, gs, ss, a16, o16
  • Move eax, ebx  push ebx

pop eax

ascii worm4
ASCII Worm
  • Both the decrypter and the encrypted payload should be ASCII
  • The size of the decrypter should be small
  • There should not be a significant size discrepancy between the encrypted payload and the cleartext
detection strategies
Detection Strategies
  • Constraints of an ASCII Worm
    • Opcode Unavailability
    • Difficulty in Encryption
    • Control Flow Constraints
  • Self-mutation is a mandatory constraint
  • n bytes instructions  O(n) bytes decrypter
detection strategies1
Detection Strategies
  • Prevalence of Privileged Instructions
    • l, m, n, o  insb, insd, outsb, outsd
  • Illegal Memory Access
    • Uninitialized register
    • Wrong Segment selector
    • Explicit Memory Address
probabilistic analysis
Probabilistic Analysis
  • Assumptions:
    • The characters in the traffic are independently distributed
  • Bernoulli trial
probabilistic analysis1
Probabilistic Analysis
  • Invalid instruction
    • Privileged instruction
    • Memory-accessing instructions
probabilistic analysis2
Probabilistic Analysis
  • Notation:
    • p: the probability of invalid instruction
    • n: the total num of instructions
    • N: total num of invalid instructions (the num of valid instruction sequences)
    • Instruction stream (S1S2S3…SN)
    • Xi: the length of Si
    • Xmax: max{X1,X2,…,XN}
probabilistic analysis3
Probabilistic Analysis
  • p.m.f of N:
  • p.m.f of Xi:
  • c.d.f of Xi:
probabilistic analysis4
Probabilistic Analysis
  • For a instance of exactly N sequences
probabilistic analysis5
Probabilistic Analysis
  • The c.d.f of Xmax
probabilistic analysis6
Probabilistic Analysis
  • The p.m.f of Xmax
probabilistic analysis7
Probabilistic Analysis
  • Verifying Model
    • Using Monte-Carlo Simulation
implementation
Implementation
  • Instruction Disassembly
  • Instruction Sequence Analysis
evaluation
Evaluation
  • Creation of the Test Data
    • Benign data: 100 cases, each containing nearly 4K printable ASCII characters
evaluation1
Evaluation
  • Determining Appropriate Thresholds for the Test Data
    • Determining p
      • 0.227
    • Determining n
      • 1540
    • Determining the threshold τ
      • 40 (when α = 0.01)
evaluation2
Evaluation
  • Experimental Results and Assessing the Effectiveness of the Detection Method
conclusions
Conclusions
  • An ASCII worm must self-mutate to generate binary opcodes
  • This mutation requires a lots of memory-writing instructions
  • The size of a decrypter is relatively big for ASCII worm
conclusions1
Conclusions
  • Benign ASCII data does not have such a long executable instruction sequence
  • The length of the maximal valid instruction sequence can be used to differentiate between benign and malicious data
determining p
Determining p
  • Prob[I/O instruction]

+Prob[wrong-Segment-override memory-accessing-instruction]

= 18.5% + 4.2% = 22.7%

determining n
Determining n
  • E[length of instruction]

= E[length of prefix chain]

+E[length of actual instruction] = 2.6

  • n = Total num of input characters / E[instruction size]

= 4000/2.6 = 1540

ad