Polymorphic attacks against sequence-based software birthmarks

Add to your list(s) Download to your calendar using vCal

• Wei Ming Khoo (University of Cambridge)
• Friday 08 June 2012, 16:00-16:20
• Computer Laboratory, William Gates Building, Room FW26.

If you have a question about this talk, please contact Wei Ming Khoo.

Sequence alignment algorithms have recently found a use in detecting code clones, software plagiarism, code theft, and polymorphic malware. This approach involves extracting birthmarks, in this case sequences, from programs and comparing them using sequence alignment, a procedure which has been intensively studied in the field of bioinformatics. This idea seems promising. However, we show that an attacker can evade detection by considering the positions of inserted dummy code and/or the frequency of function calls. Moreover, we found that randomly inserting and deleting symbols in the sequence was ineffective. By using birthmark sequences extracted from actual malicious and benign programs, we found that the most effective strategy was to use a hybrid approach incorporating “non-consecutive insertion” and “highest frequency deletion”. We also discuss the implementation costs of such attacks and propose using non-determinism through concurrent programming as an alternative evasion strategy. This is joint work with Hyoungshick Kim and Pietro Lio’.

This is a practice talk for SSP ’12.

This talk is part of the Computer Laboratory Security Group meeting presentations series.

This talk is included in these lists:

• All Talks (aka the CURE list)
• Cambridge talks
• Computer Laboratory Security Group meeting presentations
• Computer Laboratory, William Gates Building, Room FW26
• Department of Computer Science and Technology talks and seminars
• Interested Talks
• School of Technology
• Security-related talks
• Trust & Technology Initiative - interesting events
• bld31

Note that ex-directory lists are not shown.