Udo Payer

Hybrid engine for polymorphic shellcode detection

Driven by the permanent search for reliable anomaly-based intrusion detection mechanisms, we investigated different options of neural network (NN) based techniques. A further improvement could be achieved by combining the best suited NN-based data mining techniques with a mechanism we call “execution chain evaluation”. This means that disassembled instruction chains are processed by the NN in order to detect malicious code. The proposed detection engine was trained and tested in various ways. Examples were taken from all publicly available polymorphic shellcode engines as well as from self-designed engines. A prototype implementation of our sensor has been realized and integrated as a plug-in into the SNORTTM[13] intrusion detection system.

Combating Wireless LAN MAC-layer Address Spoofing with Fingerprinting Methods

Unwanted use of wireless networks has become a well-known problem in recent years. One attempt to solve this problem is the use of access control lists, which are associated with accredited MAC addresses. But since MAC addresses can be spoofed very easily, improved mechanisms are needed to attest the uniqueness of a dedicated wireless station. Today, all known approaches are based on the idea to generate NIC-specific profiles derived from invariant NIC-characteristics. In doing so, unique features are either extracted from RF-components or from the timing behavior of the MAC-chip. To give a review and to classify all proposed approaches, we start with a short introduction to all underlying ideas and will conclude with a comparison of these mechanisms.

A 155 Mbps Triple-DES Network Encryptor

The presented Triple-DES encryptor is a single-chip solution to encrypt network communication. It is optimized for throughput and fast switching between virtual connections like found in ATM networks. A broad range of optimization techniques were applied to reach encryption rates above 155 Mbps even for Triple-DES encryption in outer CBC mode. A high-speed logic style and full-custom design methodology made first-time working silicon on a standard 0.6 µm CMOS process possible. Correct functionality of the prototype was verified up to a clock rate of 275 MHz.

InFeCT - Network Traffic Classification

Network traffic policy verification is the analysis of network traffic to determine if the observed traffic is in compliance or violation of the applied policy. An intuitive approach is the use of machine learning techniques based on specific network traffic characteristics. These traffic characteristics are also known as features, which have to be extracted and selected carefully to build robust and accurate learning models. Thus, finding the best possible learning model in combination with extracting the best possible feature-set is a necessary requirement to design accurate traffic classification models. While feature selection can be automated to find the best subset of a given set of features, there are no known mechanisms to solve the problem of feature extraction. Thus, extracting the best possible features has to be done empirically. In this work we present a framework to simplify the empirical model selection and feature extraction process.

Workload Characterization of a Lightweight SSL Implementation Resistant to Side-Channel Attacks

Ever-growing mobility and ubiquitous wireless Internet access raise the need for secure communication with devices that may be severely constrained in terms of processing power, memory capacity and network speed. In this paper we describe a lightweight implementation of the Secure Sockets Layer (SSL) protocol with a focus on small code size and low memory usage. We integrated a generic public-key crypto library into this SSL stack to support elliptic curve cryptography over arbitrary prime and binary fields. Furthermore, we aimed to secure the SSL handshake against side-channel attacks (in particular simple power analysis) by eliminating all data-dependent or key-dependent branches and memory accesses from the arithmetic operations and compare the resulting performance with an unprotected implementation. Our lightweight SSL stack has only 6% of the code size and RAM requirements of OpenSSL, but outperforms it in point multiplication over prime fields when no appropriate countermeasures against side-channel attacks are implemented. With such countermeasures, however, the execution time of a typical SSL handshake increases by roughly 50%, but still completes in less than 160 msec on a 200 MHz iPAQ PDA when using an elliptic curve over a 192-bit prime field.

Event Correlation on the Basis of Activation Patterns

Intrusion Detection Systems (IDS) deploy various sensors that collect data, process this data and report events. The process of combining these events or superordinate incidences is known as event correlation. The key issues of this process are (1) to find a way how to combine events based on different data types (e. g. log entries, connection statistics or protocol identifiers), (2) to build a model representing the relations between the events and (3) to apply subsequent analysis that allow us to extract meaningful information from the trained model. In order to address these key issues, we introduce the concept of Activation Patterns. These patterns are generated by applying various techniques from machine learning and artificial intelligence to the raw event data. The presented technique is then integrated into an event correlation system. We describe the system and evaluate it by analyzing a popular intrusion detection data set consisting of a wide range of different features.

Secure Routing Approach for Unstructured P2P Systems

Although P2P systems have found its way into almost every field of application, the lack of adequate security concepts, research for specific security algorithms and implementations of suitable security mechanisms are still limiting their full potential. We are focusing on getting an overall view on the security of heterogeneous unstructured P2P systems and finding solutions to this challenging task. This work tries to make the first step towards secure unstructured P2P systems by applying security to routing. Existing secure routing protocols are either intended for structured P2P systems or use mechanisms not adequate for heterogeneous P2P system. We used the dynamic source routing protocol and proposed security extensions as foundation, adapted and modified the inherent principles to comply with the P2P concept and verified the applicability in a real world system.

Massive data mining for polymorphic code detection

Driven by the permanent search for reliable anomaly-based intrusion detection mechanisms, we investigated different statistical methodologies to deal with the detection of polymorphic shellcode. The paper intends to give an overview on existing approaches in the literature as well as a synopsis of our efforts to evaluate the applicability of data mining techniques such as Neural Networks, Self Organizing Maps, Markov Models or Genetic Algorithms in the area of polymorphic code detection. We will then present our achieved results and conclusions.

Polymorphic code detection with GA optimized markov models

This paper presents our progression in the search for reliable anomaly-based intrusion detection mechanisms. We investigated different options of stochastic techniques. We started our investigations with Markov chains to detect abnormal traffic. The main aspect in our prior work was the optimization of transition matrices to obtain better detection accuracy. First, we tried to automatically train the transition matrix with normal traffic. Then, this transition matrix was used to calculate the probabilities of a dedicated Markov sequence. This transition matrix was used to find differences between the trained normal traffic and characteristic parts of a polymorphic shellcode. To improve the efficiency of this automatically trained transition matrix, we modified some entries in a way that byte-sequences of typical shellcodes substantially differs from normal network behavior. But this approach did not meet our requirements concerning generalization. Therefore we searched for automatic methods to improve the matrix. Genetic algorithms are adequate tools if just little knowledge about the search space is available and the complexity of the problem is very hard (NP-complete).

A hardware independent encryption model for ATM devices

Faced with the migration towards broadband networking technologies, formerly visionary applications, as diverse as teleworking, telemedicine or electronic commerce, are expected to emerge to broad usage. This makes confidential communication in broadband networks a challenging basic condition. In this paper, we present an ATM encryption model that is focused on independence of both the hardware of the end-user device and the application utilizing ATM as a transport medium. Therefore, the ATM cell stream is intercepted by a high-speed data encryption standard (DES), TripleDES encryption hardware, using well-defined standardized interfaces. Considering the various access rates that ATM is defined for, the encryption unit that is being developed is designed to be independent of the physical media and capable of supporting transmission rates of up to 155 Mbps. Thus, the solution is applicable to broadband integrated services digital network (B-ISDN) end-user devices, ranging from narrowband to multi-Mbps access rates.