Detecting Malicious Code by Model Checking

Abstract. The ease of compiling malicious code from source code in higher programming languages has increased the volatility of malicious programs: The first appearance of a new worm in the wild is usually followed by modified versions in quick succession. As demonstrated by Christodorescu and Jha, however, classical detection software relies on static patterns, and is easily outsmarted. In this paper, we present a flexible method to detect malicious code patterns in executables by model checking. While model checking was originally developed to verify the correctness of systems against specifications, we argue that it lends itself equally well to the specification of malicious code patterns. To this end, we introduce the specification language CTPL (Computation Tree Predicate Logic) which extends the well-known logic CTL, and describe an efficient model checking algorithm. Our practical experiments demonstrate that we are able to detect a large number of worm variants with a single specification. Key words: Model Checking, Malware Detection.

Idea-caution before exploitation:the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities

The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed

USAID: Unifying Signature-Based and Anomaly-Based Intrusion Detection

Most intrusion detection techniques su#er from either an inability to detect unknown intrusions, or unacceptably high false alarm rates. However, there lacks a general basis to analyze and find solutions to these problems. In this paper, we propose such a theoretical basis for intrusion detection, which makes it possible to systematically express and analyze the detection performance metrics such as the detection rate and false alarm rate in a quantified manner. Most importantly, the insights gained from the basis lead to the proposal for a new intrusion detection technique -- USAID. USAID attempts to exploit the advantages of both techniques, and overcome their respective shortcomings

Multistep attack detection and alert correlation in intrusion detection systems

A growing trend in the cybersecurity landscape is repre-sented by multistep attacks that involve multiple correlated intrusionactivities to reach the intended target. The duty of correlating secu-rity alerts and reconstructing complete attack scenarios is left to sys-tem administrators because current Network Intrusion Detection Sys-tems (NIDS) are still oriented to generate alerts related to single attacks,with no or minimal correlation analysis among dierent security alerts.We propose a novel approach for the automatic analysis of multiple se-curity alerts generated by state-of-the-art signature-based NIDS. Ourproposal is able to group security alerts that are likely to belong to thesame attack scenario, and to identify correlations and causal relation-ships among them. This goal is achieved by combining alert classicationthrough Self Organizing Maps and unsupervised clustering algorithms.The ecacy of the proposal is demonstrated through a prototype testedagainst network trac traces containing multistep attacks