dawn: a novel strategy for detecting ascii worms in networks
DESCRIPTION
DAWN: A Novel Strategy for Detecting ASCII Worms in Networks. Parbati Kumar Manna Sanjay Ranka Shigang Chen Department of Computer and Information Science and Engineering, University of Florida IEEE INFOCOM 08. Outline. Introduction ASCII Worm Detection Strategies Probabilistic Analysis - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/1.jpg)
1
DAWN: A Novel Strategy for Detecting
ASCII Worms in NetworksParbati Kumar Manna
Sanjay RankaShigang Chen
Department of Computer and Information Science and Engineering, University of Florida
IEEE INFOCOM 08
![Page 2: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/2.jpg)
2
Outline
IntroductionASCII WormDetection StrategiesProbabilistic AnalysisImplementationEvaluationConclusions
![Page 3: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/3.jpg)
3
Introduction
Almost any ASCII string translates into a syntactically correct sequence of instructions
The proportion of branch instructions for ASCII data is significantly higher than that of binary data
Prune the number of path to be inspected
![Page 4: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/4.jpg)
4
ASCII Worm
ASCII data: 0x20 ~ 0x7EMaximal valid instruction sequence
LMVI: Length of Maximal Valid Instruction sequenece
![Page 5: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/5.jpg)
5
ASCII Worm
Intel opcodes in ASCII Dual-operand register/memory manipulation
sub, xor, inc, imul Single-operand register manipulation
inc, dec Stack-manipulation
push, pop, popa Jump
jo, jno, jb, jae, je, jne, jbe, ja, js, jns, jp, jnp, jnge, jnl, jng
![Page 6: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/6.jpg)
6
ASCII Worm
I/O operation insb, insd, outsb, outsd
Miscellaneous aaa, daa, das, bound, arpl
Operand and Segment override prefixes cs, ds, es, fs, gs, ss, a16, o16
Move eax, ebx push ebx pop eax
![Page 7: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/7.jpg)
7
ASCII Worm
![Page 8: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/8.jpg)
8
ASCII Worm
Both the decrypter and the encrypted payload should be ASCII
The size of the decrypter should be smallThere should not be a significant size discr
epancy between the encrypted payload and the cleartext
![Page 9: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/9.jpg)
9
Detection Strategies
Constraints of an ASCII Worm Opcode Unavailability Difficulty in Encryption Control Flow Constraints
Self-mutation is a mandatory constraintn bytes instructions O(n) bytes decrypte
r
![Page 10: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/10.jpg)
10
Detection Strategies
Prevalence of Privileged Instructions l, m, n, o insb, insd, outsb, outsd
Illegal Memory Access Uninitialized register Wrong Segment selector Explicit Memory Address
![Page 11: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/11.jpg)
11
Probabilistic Analysis
Assumptions: The characters in the traffic are independently
distributed
Bernoulli trial
![Page 12: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/12.jpg)
12
Probabilistic Analysis
Invalid instruction Privileged instruction Memory-accessing instructions
![Page 13: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/13.jpg)
13
Probabilistic Analysis
Notation: p: the probability of invalid instruction n: the total num of instructions N: total num of invalid instructions (the num of v
alid instruction sequences) Instruction stream (S1S2S3…SN) Xi: the length of Si Xmax: max{X1,X2,…,XN}
![Page 14: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/14.jpg)
14
Probabilistic Analysis
p.m.f of N: p.m.f of Xi: c.d.f of Xi:
NnNNn pp )1()(
1)1( xppxp)1(1
![Page 15: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/15.jpg)
15
Probabilistic Analysis
For a instance of exactly N sequences
![Page 16: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/16.jpg)
16
Probabilistic Analysis
The c.d.f of Xmax
![Page 17: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/17.jpg)
17
Probabilistic Analysis
The p.m.f of Xmax
![Page 18: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/18.jpg)
18
Probabilistic Analysis
Verifying Model Using Monte-Carlo Simulation
![Page 19: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/19.jpg)
19
Probabilistic Analysis
Threshold τ
)1log(log)1(1log(
1
ppn
![Page 20: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/20.jpg)
20
Implementation
Instruction DisassemblyInstruction Sequence Analysis
![Page 21: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/21.jpg)
21
Evaluation
Creation of the Test Data Benign data: 100 cases, each containing nearly
4K printable ASCII characters
![Page 22: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/22.jpg)
22
Evaluation
Determining Appropriate Thresholds for the Test Data Determining p
0.227 Determining n
1540 Determining the threshold τ
40 (when α = 0.01)
![Page 23: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/23.jpg)
23
Evaluation
Experimental Results and Assessing the Effectiveness of the Detection Method
![Page 24: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/24.jpg)
24
Evaluation
![Page 25: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/25.jpg)
25
Conclusions
An ASCII worm must self-mutate to generate binary opcodes
This mutation requires a lots of memory-writing instructions
The size of a decrypter is relatively big for ASCII worm
![Page 26: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/26.jpg)
26
Conclusions
Benign ASCII data does not have such a long executable instruction sequence
The length of the maximal valid instruction sequence can be used to differentiate between benign and malicious data
![Page 27: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/27.jpg)
27
Determining p
Prob[I/O instruction] +Prob[wrong-Segment-override memory-a
ccessing-instruction] = 18.5% + 4.2% = 22.7%
![Page 28: DAWN: A Novel Strategy for Detecting ASCII Worms in Networks](https://reader034.vdocuments.mx/reader034/viewer/2022042901/56814c1e550346895db920bc/html5/thumbnails/28.jpg)
28
Determining n
E[length of instruction]= E[length of prefix chain] +E[length of actual instruction] = 2.6
n = Total num of input characters / E[instruction size] = 4000/2.6 = 1540