Detection of Intrusions and Malware, and Vulnerability Assessment: 5th International Conference, DIMVA 2008, Paris, France, July 10-11, 2008, Proceedings (Lecture Notes in Computer Science, 5137)

Title Page
Preface
Organization
Table of Contents
Data Space Randomization
	Introduction
		Paper Organization
	Transformation Overview
		Pointer Analysis
		Mask Assignment
	Implementation
		Handling Overflows within Structures
		Handling Variable Argument Functions
		Transformation of Libraries
	Evaluation
		Functionality
		Runtime Overheads
		Analysis of Effectiveness Against Different Attacks
	Related Work
	Conclusion
	References
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
	Introduction
	Challenges in Preventing XSS Attacks
		Some XSS Attack Scenarios
	Our Approach
		A Generic Mechanism for Identifying Script Content
		Shadow Pages: ComputingWeb Application Intent
		Distinguishing XSS Attack Instances from Authorized Scripts
	Experimental Evaluation
		Effectiveness Evaluation
		A Comprehensive Evaluation of Resilience
		Performance
		Verifying Safe-Passage of Benign HTML Tags in Untrusted Contents
		Discussion
	Related Work
		Vulnerability Analysis Based Approaches
		Attack Prevention Approaches
	Conclusion
	References
VeriKey: A Dynamic Certificate Verification System for Public Key Exchanges
	Introduction
	Related Work
	SSL Man-in-the-Middle Attack Overview
	System Architecture
		Design Considerations
		Certificate Verification Components
		System Deployment
		Certificate Integrity and Verification
		Verification Server Selection
	Evaluation
		Experimental Setup
		Verification Process Overhead
		Man-in-the-Middle Attack Prevention
		System Limitations
		Security and Performance Optimizations
	Conclusion
	References
Dynamic Binary Instrumentation-Based Framework for Malware Defense
	Introduction
	Overview
	Details of the Proposed Approach
		Design and Implementation of the $Testing$ Environment
		Design and Implementation of the $Real$ Environment
	Evaluation
		Virus Detection Results
		Execution Time Overheads
	Conclusion
	References
Embedded Malware Detection Using Markov $n$-Grams
	Introduction
	Attack Scenarios
	Related Work
	Data
		Benign Dataset
		Malware Dataset
		Infected Dataset
	Pilot Experimental Studies
		Whole File n-Grams for Embedded Malware Detection
		Block-Wise n-Grams for Embedded Malware’s Location Identification
		Discussion
	Modeling and Quantification of $n$-Gram Information
		Correlation in File Data
		A Statistical Model of Benign Byte Sequences
		Classification Using Entropy Rate Thresholding
	Classification Results
	Limitations of the Markov $n$-Gram Detector
	Conclusions
	References
Learning and Classification of Malware Behavior
	Introduction
	Related Work
	Methodology
		Malware Corpus for Learning
		MonitoringMalware Behavior
		Feature Extraction and Embedding
		Learning and Classification
		Explanation of Classification
	Experiments
		Classification ofMalware Behavior
		Prediction of Malware Families
		Identification of Unknown Behavior
		Explaining Malware Behavior Classification
	Limitations
	Conclusions
	References
On Race Vulnerabilities in Web Applications
	Introduction
	Race Conditions in Web Applications
		Case Studies
	Detecting Race Conditions in LAMP-Like Web Applications
		SQL-Query Logger
		Off-Line Analyzer: Basic Approach
		Off-Line Analyzer: Further Heuristics
		Implementation
		Discussion
		Evaluation
	Countermeasures
	Related Work
	Conclusions
	References
On the Limits of Information Flow Techniques for Malware Analysis and Containment
	Introduction
	Stand-Alone Untrusted Applications
		Evasion Using Control Dependence and Implicit Flows
		Difficulty ofMitigating Evasion Attacks
		Implications
	Analyzing Runtime Behavior of Shared-Memory Extensions
		Attacks Using ArbitraryMemory Corruption
		AttackingMechanisms Used to Determine Execution Context
		AttackingMeta-data Integrity
	Analyzing Future Behavior of Malware
		Evasion Using Memory Errors
		Implications
	Related Work
	Conclusion
	References
Expanding Malware Defense by Securing Software Installations
	Introduction
	Threat Model and Defense Overview
		Install-Time Threats
		Uninstall-Time Threats
	Approach Overview
		Initial Installation Phase
		Policy Checking Phase
		Commit/Abort Phase
		Secure Execution of Installed Software
		Secure Uninstallation Phase
	Installation Policies
		Policy Framework
		Policy for Installing Untrusted Packages
		Policy for Uninstallation of Untrusted Packages
		Installation Policy for Benign Packages
	Evaluation
		Evaluation of Functionality
		Performance Evaluation
	Related Work
	Conclusion
	References
$\\sf FluXOR}: Detecting and Monitoring Fast-Flux Service Networks
	Introduction
	Problem Description and Solution Overview
	Characterising Fast-Flux Service Networks
		Features Characterising the Domain Name
		Features Characterising the Degree of Availability of the Network
		Features Characterising the Heterogeneity of the Agents
	Combining the Features for Detection
	Architecture and Implementation of the System
		Collector
		Monitor
		Detector
	Experimental Results
		Detection Accuracy
		Empirical Analysis of the Fast-Flux Service Networks Phenomenon
	Related Work
	Conclusion
	References
Traffic Aggregation for Malware Detection
	Introduction
	Related Work
	Defining Aggregates
		Destination Aggregates
		Payload Aggregates
		Platform Aggregates
	Example Configuration
	Evaluation
		Data Collection
		DetectingMalware
		Unknown Aggregates
	Discussion and OngoingWork
	Conclusion
	References
The Contact Surface: A Technique for Exploring Internet Scale Emergent Behaviors
	Introduction
	Observed Phenomenon
		The 2003 Disturbance
		The 2004 Disturbance
	Hypotheses
	Analysis and Simulation
		The Minor Spike
		Full Subnet Scanning on a /22
	Related Work
	Conclusions and Acknowledgments
	References
The Quest for Multi-headed Worms
	Introduction
	Problem Statement
		The Leurr´e.com Environment
		SeminalWork on the Identification of Multi-headed Worms
		Complexity Analysis
	Methodology
		Construction of Filtered Platform Time Series
		Groups of Correlated Filtered Platform Time Series
		Root Cause Analysis and Hidden Correlations
	Results
		Overview
		Root Causes Analysis
	Conclusion
	References
A Tool for Offline and Live Testing of Evasion Resilience in Network Intrusion Detection Systems
	Introduction
	Requirements
	Framework Architecture
		Overview
		Test Case Generation
		Offline Evasion Testing
		Live Evasion Testing
	Initial Experimental Results
		Test Cases
		NIDS Configurations
		Findings
	Related Work
	Discussion and Future Work
	Summary
	References
Author Index