Semantic aware attribution analysis of remote exploits

Semantic aware attribution analysis of remote exploits

ABSTRACT Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis (i.e., to automaticall...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Security and communication networks 2013-07, Vol.6 (7), p.818-832
Hauptverfasser: Kong, Deguang, Tian, Donghai, Pan, Qiha, Liu, Peng, Wu, Dinghao
Format: Artikel
Sprache:eng
Schlagworte:
Accuracy
Anomalies
attribution
Binary codes
Communication networks
malware classification
Markov models
Mathematical models
mixture Markov model
remote exploit
Semantics
shellcode
Statistical analysis
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 832
container_issue 7
container_start_page 818
container_title Security and communication networks
container_volume 6
creator Kong, Deguang
Tian, Donghai
Pan, Qiha
Liu, Peng
Wu, Dinghao
description ABSTRACT Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis (i.e., to automatically categorize exploits or determine whether an exploit is a variant of an attack from the past) is also very important. In this paper, we present SA3, a novel exploit code attribution analysis that combines semantics‐based analysis and statistical modeling to automatically categorize given exploit code. SA3 extracts semantic features from exploit code through data anomaly analysis and then attributes the exploit to an appropriate class on the basis of our statistical model derived from a Markov model. We evaluate SA3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. The novelty of SA3 is that it combines semantic analysis with statistical modeling for exploit code attribution analysis. Copyright © 2012 John Wiley & Sons, Ltd. We present SA3, a novel exploit code attribution analysis that combines semantics‐based analysis and statistical modeling to automatically categorize given exploit code. SA3 extracts semantic features from exploit code through data anomaly analysis and then attributes the exploit to an appropriate class on the basis of our statistical model derived from a Markov model. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate of no more than 4.5%.
doi_str_mv 10.1002/sec.613
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_miscellaneous_1439728541</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>1439728541</sourcerecordid><originalsourceid>FETCH-LOGICAL-c3603-ac2b131fad7fafd863b37fcf637cc7437538ff3499f2e1f2a428bdb69e3ac1c3</originalsourceid><addsrcrecordid>eNp10E9LwzAYBvAiCs4pfoWCBwXpzL8l7VHqnMpQcYOBl5BmCWR2zUxStn17Myo7CJ7e9_DjgedJkksIBhAAdOeVHFCIj5IeLHCRAYjQ8eGH5DQ5834JAIWEkV5Cp2olmmBkKjbCqVSE4EzVBmObVDSi3nnjU6tTp1Y2qFRt17U1wZ8nJ1rUXl383n4yexzNyqds8jZ-Lu8nmcQU4ExIVEEMtVgwLfQip7jCTEtNMZOSEcyGONcak6LQSEGNBEF5tahoobCQUOJ-ctPFrp39bpUPfGW8VHUtGmVbzyHBBUP5kMBIr_7QpW1dbBAVZvu-lKCorjslnfXeKc3XzqyE23EI-H4-Hufjcb4obzu5MbXa_cf4dFR2Ouu08UFtD1q4L05ZrMnnr2P-UL7MJvPPd_6BfwD2SH9D</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1370061642</pqid></control><display><type>article</type><title>Semantic aware attribution analysis of remote exploits</title><source>Elektronische Zeitschriftenbibliothek - Frei zugängliche E-Journals</source><source>Alma/SFX Local Collection</source><creator>Kong, Deguang ; Tian, Donghai ; Pan, Qiha ; Liu, Peng ; Wu, Dinghao</creator><creatorcontrib>Kong, Deguang ; Tian, Donghai ; Pan, Qiha ; Liu, Peng ; Wu, Dinghao</creatorcontrib><description>ABSTRACT Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis (i.e., to automatically categorize exploits or determine whether an exploit is a variant of an attack from the past) is also very important. In this paper, we present SA3, a novel exploit code attribution analysis that combines semantics‐based analysis and statistical modeling to automatically categorize given exploit code. SA3 extracts semantic features from exploit code through data anomaly analysis and then attributes the exploit to an appropriate class on the basis of our statistical model derived from a Markov model. We evaluate SA3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. The novelty of SA3 is that it combines semantic analysis with statistical modeling for exploit code attribution analysis. Copyright © 2012 John Wiley &amp; Sons, Ltd. We present SA3, a novel exploit code attribution analysis that combines semantics‐based analysis and statistical modeling to automatically categorize given exploit code. SA3 extracts semantic features from exploit code through data anomaly analysis and then attributes the exploit to an appropriate class on the basis of our statistical model derived from a Markov model. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate of no more than 4.5%.</description><identifier>ISSN: 1939-0114</identifier><identifier>EISSN: 1939-0122</identifier><identifier>DOI: 10.1002/sec.613</identifier><language>eng</language><publisher>London: Blackwell Publishing Ltd</publisher><subject>Accuracy ; Anomalies ; attribution ; Binary codes ; Communication networks ; malware classification ; Markov models ; Mathematical models ; mixture Markov model ; remote exploit ; Semantics ; shellcode ; Statistical analysis</subject><ispartof>Security and communication networks, 2013-07, Vol.6 (7), p.818-832</ispartof><rights>Copyright © 2012 John Wiley &amp; Sons, Ltd.</rights><rights>Copyright © 2013 John Wiley &amp; Sons, Ltd.</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c3603-ac2b131fad7fafd863b37fcf637cc7437538ff3499f2e1f2a428bdb69e3ac1c3</citedby><cites>FETCH-LOGICAL-c3603-ac2b131fad7fafd863b37fcf637cc7437538ff3499f2e1f2a428bdb69e3ac1c3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,780,784,27924,27925</link.rule.ids></links><search><creatorcontrib>Kong, Deguang</creatorcontrib><creatorcontrib>Tian, Donghai</creatorcontrib><creatorcontrib>Pan, Qiha</creatorcontrib><creatorcontrib>Liu, Peng</creatorcontrib><creatorcontrib>Wu, Dinghao</creatorcontrib><title>Semantic aware attribution analysis of remote exploits</title><title>Security and communication networks</title><addtitle>Security Comm. Networks</addtitle><description>ABSTRACT Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis (i.e., to automatically categorize exploits or determine whether an exploit is a variant of an attack from the past) is also very important. In this paper, we present SA3, a novel exploit code attribution analysis that combines semantics‐based analysis and statistical modeling to automatically categorize given exploit code. SA3 extracts semantic features from exploit code through data anomaly analysis and then attributes the exploit to an appropriate class on the basis of our statistical model derived from a Markov model. We evaluate SA3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. The novelty of SA3 is that it combines semantic analysis with statistical modeling for exploit code attribution analysis. Copyright © 2012 John Wiley &amp; Sons, Ltd. We present SA3, a novel exploit code attribution analysis that combines semantics‐based analysis and statistical modeling to automatically categorize given exploit code. SA3 extracts semantic features from exploit code through data anomaly analysis and then attributes the exploit to an appropriate class on the basis of our statistical model derived from a Markov model. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate of no more than 4.5%.</description><subject>Accuracy</subject><subject>Anomalies</subject><subject>attribution</subject><subject>Binary codes</subject><subject>Communication networks</subject><subject>malware classification</subject><subject>Markov models</subject><subject>Mathematical models</subject><subject>mixture Markov model</subject><subject>remote exploit</subject><subject>Semantics</subject><subject>shellcode</subject><subject>Statistical analysis</subject><issn>1939-0114</issn><issn>1939-0122</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2013</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GNUQQ</sourceid><recordid>eNp10E9LwzAYBvAiCs4pfoWCBwXpzL8l7VHqnMpQcYOBl5BmCWR2zUxStn17Myo7CJ7e9_DjgedJkksIBhAAdOeVHFCIj5IeLHCRAYjQ8eGH5DQ5834JAIWEkV5Cp2olmmBkKjbCqVSE4EzVBmObVDSi3nnjU6tTp1Y2qFRt17U1wZ8nJ1rUXl383n4yexzNyqds8jZ-Lu8nmcQU4ExIVEEMtVgwLfQip7jCTEtNMZOSEcyGONcak6LQSEGNBEF5tahoobCQUOJ-ctPFrp39bpUPfGW8VHUtGmVbzyHBBUP5kMBIr_7QpW1dbBAVZvu-lKCorjslnfXeKc3XzqyE23EI-H4-Hufjcb4obzu5MbXa_cf4dFR2Ouu08UFtD1q4L05ZrMnnr2P-UL7MJvPPd_6BfwD2SH9D</recordid><startdate>201307</startdate><enddate>201307</enddate><creator>Kong, Deguang</creator><creator>Tian, Donghai</creator><creator>Pan, Qiha</creator><creator>Liu, Peng</creator><creator>Wu, Dinghao</creator><general>Blackwell Publishing Ltd</general><general>Hindawi Limited</general><scope>BSCLL</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>8FE</scope><scope>8FG</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>ARAPS</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>GNUQQ</scope><scope>HCIFZ</scope><scope>JQ2</scope><scope>K7-</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>P5Z</scope><scope>P62</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope></search><sort><creationdate>201307</creationdate><title>Semantic aware attribution analysis of remote exploits</title><author>Kong, Deguang ; Tian, Donghai ; Pan, Qiha ; Liu, Peng ; Wu, Dinghao</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c3603-ac2b131fad7fafd863b37fcf637cc7437538ff3499f2e1f2a428bdb69e3ac1c3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2013</creationdate><topic>Accuracy</topic><topic>Anomalies</topic><topic>attribution</topic><topic>Binary codes</topic><topic>Communication networks</topic><topic>malware classification</topic><topic>Markov models</topic><topic>Mathematical models</topic><topic>mixture Markov model</topic><topic>remote exploit</topic><topic>Semantics</topic><topic>shellcode</topic><topic>Statistical analysis</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Kong, Deguang</creatorcontrib><creatorcontrib>Tian, Donghai</creatorcontrib><creatorcontrib>Pan, Qiha</creatorcontrib><creatorcontrib>Liu, Peng</creatorcontrib><creatorcontrib>Wu, Dinghao</creatorcontrib><collection>Istex</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>Advanced Technologies &amp; Aerospace Collection</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection (ProQuest)</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>ProQuest Central Student</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Computer Science Collection</collection><collection>Computer Science Database</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>Advanced Technologies &amp; Aerospace Database</collection><collection>ProQuest Advanced Technologies &amp; Aerospace Collection</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><jtitle>Security and communication networks</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Kong, Deguang</au><au>Tian, Donghai</au><au>Pan, Qiha</au><au>Liu, Peng</au><au>Wu, Dinghao</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Semantic aware attribution analysis of remote exploits</atitle><jtitle>Security and communication networks</jtitle><addtitle>Security Comm. Networks</addtitle><date>2013-07</date><risdate>2013</risdate><volume>6</volume><issue>7</issue><spage>818</spage><epage>832</epage><pages>818-832</pages><issn>1939-0114</issn><eissn>1939-0122</eissn><abstract>ABSTRACT Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis (i.e., to automatically categorize exploits or determine whether an exploit is a variant of an attack from the past) is also very important. In this paper, we present SA3, a novel exploit code attribution analysis that combines semantics‐based analysis and statistical modeling to automatically categorize given exploit code. SA3 extracts semantic features from exploit code through data anomaly analysis and then attributes the exploit to an appropriate class on the basis of our statistical model derived from a Markov model. We evaluate SA3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. The novelty of SA3 is that it combines semantic analysis with statistical modeling for exploit code attribution analysis. Copyright © 2012 John Wiley &amp; Sons, Ltd. We present SA3, a novel exploit code attribution analysis that combines semantics‐based analysis and statistical modeling to automatically categorize given exploit code. SA3 extracts semantic features from exploit code through data anomaly analysis and then attributes the exploit to an appropriate class on the basis of our statistical model derived from a Markov model. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate of no more than 4.5%.</abstract><cop>London</cop><pub>Blackwell Publishing Ltd</pub><doi>10.1002/sec.613</doi><tpages>15</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 1939-0114
ispartof Security and communication networks, 2013-07, Vol.6 (7), p.818-832
issn 1939-0114
1939-0122
language eng
recordid cdi_proquest_miscellaneous_1439728541
source Elektronische Zeitschriftenbibliothek - Frei zugängliche E-Journals; Alma/SFX Local Collection
subjects Accuracy
Anomalies
attribution
Binary codes
Communication networks
malware classification
Markov models
Mathematical models
mixture Markov model
remote exploit
Semantics
shellcode
Statistical analysis
title Semantic aware attribution analysis of remote exploits
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-08T05%3A10%3A55IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Semantic%20aware%20attribution%20analysis%20of%20remote%20exploits&rft.jtitle=Security%20and%20communication%20networks&rft.au=Kong,%20Deguang&rft.date=2013-07&rft.volume=6&rft.issue=7&rft.spage=818&rft.epage=832&rft.pages=818-832&rft.issn=1939-0114&rft.eissn=1939-0122&rft_id=info:doi/10.1002/sec.613&rft_dat=%3Cproquest_cross%3E1439728541%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1370061642&rft_id=info:pmid/&rfr_iscdi=true