E-Book, Englisch, Band 27, 312 Seiten, eBook
E-Book, Englisch, Band 27, 312 Seiten, eBook
Reihe: Advances in Information Security
ISBN: 978-0-387-44599-1
Verlag: Springer US
Format: PDF
Kopierschutz: 1 - PDF Watermark
arms race
.
Malware Detection
captures the state of the art research in the area of malicious code detection, prevention and mitigation.
Zielgruppe
Research
Autoren/Hrsg.
Weitere Infos & Material
Overview.- Malware Evolution: A Snapshot of Threats and Countermeasures in 2005.- Software Analysis and Assurance.- Static Disassembly and Code Analysis.- A Next-Generation Platform for Analyzing Executables.- Behavioral and Structural Properties of Malicious Code.- Detection and Prevention of SQL Injection Attacks.- Distributed Threat Detection and Defense.- Very Fast Containment of Scanning Worms, Revisited.- Sting: An End-to-End Self-Healing System for Defending against Internet Worms.- An Inside Look at Botnets.- Can Cooperative Intrusion Detectors Challenge the Base-Rate Fallacy?.- Stealthy and Targeted Threat Detection and Defense.- Composite Hybrid Techniques For Defending Against Targeted Attacks.- Towards Stealthy Malware Detection.- Novel Techniques for Constructing Trustworthy Services.- Pioneer: Verifying Code Integrity and Enforcing Untampered Code Execution on Legacy Systems.- Principles of Secure Information Flow Analysis.
1.3.1 Countermeasures for Previously Unseen Threats (p. 6)
Countermeasures for previously unseen threats are addressed below first for detecting previously unseen threats against already known vulnerabilities and identifying previously unknown vulnerabilities, and then for detecting previously unseen threats without foreknowledge of the vulnerability.
Blocking Previously Unseen Threats Against Already Known Vulnerabilities
Techniques such as Generic Exploit Blocking (GEB) [33] and Microsoft's Shield effort [47] were conceived to provide protection against previously unseen threats. These techniques use analysis of a known vulnerability to produce a signature that is not specific to any single instance of malware exploiting the vulnerability.
Thus, such a properly written signature can properly detect all potential attacks against a given vulnerability. This is in contrast with traditional antivirus and IDS heuristics which may be able to detect a percentage of new threats, but cannot guarantee complete detection. However, these approaches include a number of challenges in implementation, including the following three challenges.
- First, the signatures must be specified in a language and processed by a scanning engine that facilitate "performanf' scanning, either in the sense of high line-speeds, as is the constraint for traditional intrusion detection and network level anti-virus systems, or in the sense of low CPU burden.
- Second, the system must maintain low false positives while producing high true positives.
- Third, even though these approaches do not require prior knowledge of the malware, they still require prior knowledge of the vulnerability. The luxury of that prior knowledge is not always available. The next two sections describe techniques for identifying previously unknown vulnerabilities, and techniques for detecting previously unseen threats without the luxury of knowledge of the vulnerability.
Identifying Previously Unknown Vulnerabilities
Given that the above techniques rely on prior knowledge of vulnerabilities, they would be substantially more valuable if it was possible to better identify vulnerabilities in software before malware was created to exploit those vulnerabilities. A form of random test case generation known as Fuzzing [5] is among the most common techniques for finding vulnerabilities.
More recently, static analysis of the target software itself has been used to intelligently generate test cases more efficiently identifying vulnerabilities likely to exist near comer cases in target software execution [16, 23]. Although these techniques currently require source code, substantial progress has been made in extracting models from executable code for model checking and other static analysis without source code [13, 14]. However, in discussing static analysis of binaries, it is important to note that such tools can be used very effectively by creators of malware just as easily as they can be used by the security community [30].
Identifying Previously Unseen Threats without Prior Knowledge of Vulnerabilities
In this section we describe several emerging techniques that do not require prior knowledge of vulnerabilities for identifying previously unseen threats. These techniques include behavior based techniques, honeypots, anomaly detection, fault analysis, and correlation. Dynamic analysis of program behavior within a host is not new [11]. Behavior analysis was extended with various forms of anomaly detection [25] to improve generalization to previously unseen attacks while reducing false positives.
