Automated Attacker Correlation for Malicious Code

Dullien, Thomas; Carrera, Ero; Eppler, Soeren-meyer; Porst, Sebastian

Automated Attacker Correlation for Malicious Code

Active / Technical Report | Accession Number: ADA546372 |

Open PDF

Abstract:

Correlating attacks can be specifically problematic in the digital domain. It is a common scenario that the only real trace of an attack that can be obtained is executable code. As such, executable code of malicious software forms one of the primary pieces of evidence that need to be examined in order to establish correlation between seemingly independent eventsattacks. Due to the high technical sophistication required for building advanced and stealthy persistent backdoors rootkits, it is quite common for code fragments to be re-used. A big obstacle to performing proper correlation between different executables is the high degree of variability which the compiler introduces when generating the final byte sequences. This paper presents the results of research on executable code comparison for attacker correlation. Instead of pursuing a byte-based approach, a structural approach is chosen. The result is a system that can identify code similarities in executables with accuracy that often exceeds that of a human analyst and at much higher speed.

Author(s):

Dullien, Thomas ; Carrera, Ero ; Eppler, Soeren-meyer ; Porst, Sebastian

Author Organization(s):

BOCHUM UNIV (GERMANY F R)

Descriptive Note:

Conference paper

Supplementary Note:

Presented at the RTO Information Systems and Technology Panel (IST) Symposium held in Tallinn, Estonia on 22-23 November 2010. Published in RTO-MP-IST-091, paper no. 26, p26-1/26-10, November 2010.

Pagination:

0011

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release, Nato

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited. Nato.

RECORD

Collection: TR

Identifying Numbers

Monitor Series:

NATO

Subject Terms

Joint Capability Areas:

JCA_6_Net Centric; JCA_6.4.1_Secure Information Exchange; JCA_6.4_Information Assurance; JCA_3.2_Engagement; JCA_3_Force Application; JCA_3.2.2_Non-Kinetic Means; JCA_7_Protection; JCA_7.2.1_Mitigate Lethal Effects; JCA_7.2_Mitigate; JCA_5_Command and Control; JCA_6.1_Information Transport; JCA_5.3_Planning; JCA_8_Building Partnerships

Communities of Interest:

No COI(s) Identified

Descriptor(s):

*COMPUTER SECURITY, *CORRELATION, COMPARISON, GERMANY, AUTOMATION, SYMPOSIA, ATTACK

Field(s)/Group(s):

Computer Systems Management and Standards

Keyword(s):

FOREIGN REPORTS, NATO FURNISHED, EXECUTABLE CODE, MALICIOUS CODE

Report Date:

2010 Mar 22

Creation Date:

2011 Aug 17