Spring 2008 Database Seminar

Thursday Mar. 26th, 2008
CSE Room 404
12:00 - 1:00pm

A Probabilistic Approach to Detect Malware in Text
P.K. Manna

While a considerable amount of research has been done for detecting the
binary worms exploiting the vulnerability of buffer overflow, very little
effort has been spent in detecting worms that consist of only text, i.e.,
printable ASCII characters. Such text-based malware could be equally
potent as their binary counterpart. However, the existing malware
detectors often either do not examine the text stream or are not very
well suited to efficiently detect worms in the text stream due to the
structural properties of the text payload. We analyze the potentials and
constraints
of the ASCII (text) worms vis-a-vis their binary counterpart, and devise a
probabilistic detection technique that would exploit those limitations.
The nub of this detection approach is that when we disassemble any random
character stream into instructions and execute the instruction sequence,
the probability is very high that one of the instructions in the execution
path will cause error, thus aborting the execution (which is not the case
with a malware, where the execution path will be long and error-free). We
devise a model that calculates the probability of the length of this
execution path in a random character stream. We introduce DAWN, a novel
ASCII worm detection strategy that is fast, easily deployable, and has
very little overhead. Unlike many signature-based detection models. DAWN
completely signature-free and therefore capable of detecting zero-day
outbreak of ASCII worms.

For upcoming talks, visit http://www.cise.ufl.edu/dbcenter/seminar.shtml.