Research Article
SA: Automatic Semantic Aware Attribution Analysis of Remote Exploits
@INPROCEEDINGS{10.1007/978-3-642-31909-9_11, author={Deguang Kong and Donghai Tian and Peng Liu and Dinghao Wu}, title={SA: Automatic Semantic Aware Attribution Analysis of Remote Exploits}, proceedings={Security and Privacy in Communication Networks. 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers}, proceedings_a={SECURECOMM}, year={2012}, month={10}, keywords={Remote Exploit Shellcode Attribution Mixture of Markov Model}, doi={10.1007/978-3-642-31909-9_11} }- Deguang Kong
Donghai Tian
Peng Liu
Dinghao Wu
Year: 2012
SA: Automatic Semantic Aware Attribution Analysis of Remote Exploits
SECURECOMM
Springer
DOI: 10.1007/978-3-642-31909-9_11
Abstract
Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis, i.e., to automatically categorize exploits or to determine whether an exploit is a variant of an attack from the past, is also very important. In this paper, we present SA, an exploit code attribution analysis which combines semantic analysis and statistical analysis to automatically categorize a given exploit code. SA extracts semantic features from an exploit code through data anomaly analysis, and then attributes the exploit to an appropriate class based on our statistical model derived from a Markov model. We evaluate SA over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. To our knowledge, SA is the first work combining semantic analysis with statistical analysis for exploit code attribution analysis.