Technical Program

Malicious software (malware) represents a major threat for computer systems of almost all types. In the past few years the number of prevalent malware samples has increased dramatically due to the fact that malware authors started to deploy morphing (aka obfuscation) techniques in order to hinder detection of such polymorphic malware by anti-malware products. Using these techniques numerous variants of a malware can be generated. All these variants have a different syntactic representation while providing almost the same functionality and showing similar behavior. In order to effectively detect polymorphic malware it is advantageous (if not required) to know which malware samples are variants of a particular malware. Respective approaches for determining this relation between malware samples automatically are currently investigated by a number of researchers. A prerequisite for assessing this relation based on particular features of malware samples is an appropriate similarity or distance measure. In particular a number of approaches for clustering malware samples have been recently published. Thereby different similarity measures are used but without thoroughly discussing the choice. So it is an unanswered question which similarity measures are appropriate for determining respective relations between malware samples. To answer this question we study different distance measures in detail and discuss desirable properties of a distance measure for this particular purpose. We focus on behavioral features of malware and compare and experimentally evaluate different distance measures for malware behavior. Based on our results we identify a most appropriate distance measure for grouping malware samples based on similar behavior.

Packet classification is one of the crucial components of application such as firewalls, intrusion detection, and differentiated services. For example, an intrusion detection system (IDS) classifies packets either as benign or malicious and alerts the network administrator. Since existing IDS’s spend the majority of CPU time in packet classification, an IDS fails to detect malicious packets under high load. Many ideas have been proposed to make the packet inspection faster so that an IDS spends less time in packet classification. However, because of the increasing number of security threats and vulnerabilities, the number of rules often exceeds thousands, requiring more than hundreds of megabytes of memory. As a result, an IDS spends longer time to classify packets since each packet incurs many memory accesses, and thus the throughput of an IDS is limited by memory bandwidth. The problem can be mitigated by exploiting locality in traffic patterns. In this paper, we propose npf, a fast and traffic-adaptive packet classifier which intelligently reorganizes the internal structure based on the traffic pattern. Unlike existing approaches requireing a separate, off-line reorganization phase, npf performs reorganization on-line with little overhead, resulting in higher throughput without compromising accuracy. Experimental results on our test bed show that npf outperforms a traditional packet classifier by spending an order of magnitude less time per packet in order to classify the packet.

This paper proposes an anti-spam scheme that uses capability-based access control. In this scheme, rights to bypass spam filters are represented as capabilities, and an email message containing a valid capability bypasses the spam filer and goes straight to the receiver's inbox. As a result, the false positive problem inherent in existing spam filters is eliminated. This scheme allows a user to delegate rights to another person and is compatible with existing email systems and applications. It was implemented in Mozilla Thunderbird, along with a tool, Capability Basket, that provides an API for email clients and a GUI for users.

SQL injection attacks continue to be a major problem for web applications. We investigate design considerations for an application layer honeypot to attract and learn about SQL injection attacks. The honeypot responds with indications of vulnerability leading attackers ultimately to disinformation that could be useful to track them. The honeypot restricts attackers from escalating the attack to the operating system or launching attacks on other systems. The honeypot could emulate the appearance of common defenses against SQL injection in order to seem more genuine. Finally, we describe considerations to implement an experimental honeypot with honeyd.

Jamming attacks are considered one of the most devastating as they are difficult to prevent and sometimes hard to detect. In this paper we consider the impact of the placement and range of limited-range jammers on ad hoc networks. Limited range jammers are more difficult to detect as they use transmission powers similar to that of regular nodes (or perhaps even smaller transmit powers).The attacker can locate his jammer(s) randomly in the network. Alternatively, jammers can be placed at strategic locations. For instance, intuitively, this can be nodes with high traffic inputs/outputs (discovered by sensing the traffic flow in the network). Using OPNET, we perform extensive simulations to show how significant such strategically placed attacks can be compared to random placement of limited-range jammers on both TCP and UDP traffic.

In this paper, we establish a hidden 802.11 wireless channel, with the masking of the channel achieved by inserting intentional errors in the Frame Check Sequence (FCS). We design a frame handler module to provide a proof-of-concept model of the side-channel using MATLAB and Simulink with Communication Toolbox. We justify using MATLAB over the other simulation tools because of its existing functions: physical layer IEEE 802.11 wireless local area networking (WLAN) standard, existing modular channel fading models, the MAC layer cyclic redundancy checksum (CRC) generator, the CRC Syndrome detector, and the capability of modifying fields in a frame. These existing functions allow for the creation of a frame handler which generates frames, according to our design, to be inserted as erroneous frames and recovers frames from normal 802.11 traffic. Herein we provide the design and details of the implementation of the channel. Our design offers the ability to introduce error detection and correction capabilities, and protection against passive monitoring defences. This simulation framework is a step towards the development of more sophisticated environments including multi-node simulations that maintain robust and reliable side-channel communication.

This paper proposes a multi-key encryption scheme and engine architecture (MKE) that increases security and optimizes energy efficiency of sensor networks, while minimizing modifications to existing implementations. The scheme improves security of AES against correlation power analysis (CPA) attack by employing MKE engine, breaking the correlation between power consumption and the used key. Other schemes utilize complex hardware designs, for example by using the inhomogeneous s-boxes that reduce energy efficiency of the engine. In contrast, the proposed hardware engine uses a randomly sequence of few keys to encode subsequent blocks of a messages. Additionally, the scheme improves security of AES against brute-force attacks for a given key size by utilizing multiple keys to encrypt subsequent blocks of a message. In contrast, a typical security upgrade would require a larger key size and encryption engine, which would increase cost and energy consumption of the devices. Both analytical and simulation results are presented in this paper.

Wireless mesh networks consist of stationary nodes that communicate over wireless connections. Since WLAN security standards are only applicable in the standard scenario where the access points are connected by a cable-bound backbone, nearly all mesh networks broacast messages in the clear. To secure these networks, and to reduce the amount of reencryption of messages, we propose to use group key agreement (GKA) protocols to agree on a common key for all nodes. In a mesh network, a message sent by one node can only be received directly by nodes within the broadcast reach of the first node. Thus we have neither direct point-to-point connections between nodes, nor do we have a perfect broadcast channel. We therefore compare the suitability of different GKA protocols proposed in the literature for mesh networks.