New directions in covert malware modeling which exploit white-listing

Zero-day attacks - especially those that hide the attack exploit by using code obfuscation and encryption - remain a formidable challenge to existing network defenses. Many techniques have been developed that can address known attacks and similar new attacks that may arise in the future. Some methods, like Earlybird and Polygraph, focus on string-based content prevalence in payloads; others focus on the presence of particular 1386 instructions, e.g., Sigfree counts the number of "useful" instructions in each request. For both types of systems, a white-listing mechanism, in which some strings or instructions are regarded as innocuous, is necessary to avoid a high false positive rate associated with common content such as URL addresses and peer-to-peer traffic. In this paper, we explore a more sophisticated attack model that not only makes malcode payloads look like nominal ones, but which is also assumed to be both aware of and exploitative of the white-listing itself in forming a Trojan mechanism. In other words, the malware attempts to embed its malcode into the prevalent content that is normally white-listed. If the malcode is encrypted, the attacker will also attempt to obfuscate its plain-text decryption code as much as possible. Both current string-based and instruction-based systems will likely fail to detect such attacks. We propose a comprehensive IDS model in the paper and discuss some potential defensive mechanisms against such attack.