New directions in covert malware modeling which exploit white-listing

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Zero-day attacks - especially those that hide the attack exploit by using code obfuscation and encryption - remain a formidable challenge to existing network defenses. Many techniques have been developed that can address known attacks and similar new attacks that may arise in the future. Some methods, like Earlybird and Polygraph, focus on string-based content prevalence in payloads; others focus on the presence of particular 1386 instructions, e.g., Sigfree counts the number of "useful" instructions in each request. For both types of systems, a white-listing mechanism, in which some strings or instructions are regarded as innocuous, is necessary to avoid a high false positive rate associated with common content such as URL addresses and peer-to-peer traffic. In this paper, we explore a more sophisticated attack model that not only makes malcode payloads look like nominal ones, but which is also assumed to be both aware of and exploitative of the white-listing itself in forming a Trojan mechanism. In other words, the malware attempts to embed its malcode into the prevalent content that is normally white-listed. If the malcode is encrypted, the attacker will also attempt to obfuscate its plain-text decryption code as much as possible. Both current string-based and instruction-based systems will likely fail to detect such attacks. We propose a comprehensive IDS model in the paper and discuss some potential defensive mechanisms against such attack.

Original languageEnglish (US)
Title of host publication2007 IEEE Sarnoff Symposium, SARNOFF
StatePublished - 2007
EventIEEE Sarnoff Symposium, SARNOFF 2007 - Princeton, NJ, United States
Duration: Apr 30 2007May 2 2007

Publication series

Name2007 IEEE Sarnoff Symposium, SARNOFF


OtherIEEE Sarnoff Symposium, SARNOFF 2007
Country/TerritoryUnited States
CityPrinceton, NJ

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Electrical and Electronic Engineering
  • Communication


Dive into the research topics of 'New directions in covert malware modeling which exploit white-listing'. Together they form a unique fingerprint.

Cite this