TY - GEN
T1 - SA3
T2 - 7th International ICST Conference on Security and Privacy in Communication Networks, SecureComm 2011
AU - Kong, Deguang
AU - Tian, Donghai
AU - Liu, Peng
AU - Wu, Dinghao
PY - 2012
Y1 - 2012
N2 - Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis, i.e., to automatically categorize exploits or to determine whether an exploit is a variant of an attack from the past, is also very important. In this paper, we present SA3, an exploit code attribution analysis which combines semantic analysis and statistical analysis to automatically categorize a given exploit code. SA 3 extracts semantic features from an exploit code through data anomaly analysis, and then attributes the exploit to an appropriate class based on our statistical model derived from a Markov model. We evaluate SA3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. To our knowledge, SA3 is the first work combining semantic analysis with statistical analysis for exploit code attribution analysis.
AB - Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis, i.e., to automatically categorize exploits or to determine whether an exploit is a variant of an attack from the past, is also very important. In this paper, we present SA3, an exploit code attribution analysis which combines semantic analysis and statistical analysis to automatically categorize a given exploit code. SA 3 extracts semantic features from an exploit code through data anomaly analysis, and then attributes the exploit to an appropriate class based on our statistical model derived from a Markov model. We evaluate SA3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. To our knowledge, SA3 is the first work combining semantic analysis with statistical analysis for exploit code attribution analysis.
KW - Attribution
KW - Mixture of Markov Model
KW - Remote Exploit
KW - Shellcode
UR - http://www.scopus.com/inward/record.url?scp=84869595853&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-31909-9_11
DO - 10.1007/978-3-642-31909-9_11
M3 - Conference contribution
AN - SCOPUS:84869595853
SN - 9783642319082
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
SP - 190
EP - 208
BT - Security and Privacy in Communication Networks - 7th International ICST Conference, SecureComm 2011, Revised Selected Papers
Y2 - 7 September 2011 through 9 September 2011
ER -