Review of  the conference
DIMVA, Detection of Intrusions, Malware, and Vulnerability Assessment,
Vienna, Austria
July 7-8, 2005

Review by Sven Dietrich
July 18, 2005

Introduction

DIMVA 2005, the second installation of this European-focused conference (and for the first time in cooperation with the IEEE Technical Committee on Security and Privacy), took place in beautiful Vienna, Austria. Local chair was Christopher Kruegel at the Technical University (TU) Vienna. Sessions were held in a lecture hall at the TU Vienna, only a five-minute walk from the recommended hotel.

The conference was attended by about 85 people, mostly practitioners and industry representatives from German-speaking Europe, but there were a few attendees from Eastern Europe and the US as well as some from universities. After the German Informatics Society Meeting, there was a reception at City Hall on Thursday evening, hosted by the Mayor of Vienna. The mayor himself did not attend, but instead sent a representative from the City Council.

DIMVA 2006 will be in Berlin, Germany. Approximate time frame: early July 2006.

The papers and the slides for the presentations should be available from the website at some point in the near future.

Day 1: July 7, 2005

The conference chair, Klaus Julisch, could not make it to the conference, so he was replaced by local chair Christopher Kruegel. The sessions were held in a circa-1970s/1980s physics/chemistry auditorium, which was very steep, but comfortably held us all. Wireless service had been provided to us courtesy of the TU Vienna, but power outlets were scarce. Breaks were held outside the auditorium, or by quick dashes over to a coffee house (this being Vienna, after all!) at the nearby Naschmarkt or elsewhere.

Keynote

The Ultimate Honeypot
Philip Attfield (Northwestern Security Institute, Seattle, WA, USA)

Phil gave a very entertaining keynote speech, describing his role as an analyst in the 1999/2000 FBI case against Ivanov and Goshkov, two Russian consultants/perpetrators. The Russians were lured to the US to show off their hacking skills, which, of course, led to their arrest. Phil very clearly showed the steps involved that led to their discovery by piecing together many tidbits, including information gathered from an FBI honeypot, such as cracking/ tools, code, and other artifacts. Phil's role was mostly that of reverse-engineering the tools. He also mentioned how this gathered information gets into a trial, what the complexity of the investigations and actions are, and how it all is just a game of chess.

His comic relief was what he caught (on camera) in his Canadian honeypot: a 400 kg (880 pound) bear.

Session 1: Obfuscated Code Detection (Session chair: Engin Kirda)

Analyzing Memory Accesses in Obfuscated x86 Executables
Michael Venable, Mohamed Chouchane, Md Enamul Karim, and Arun Lakhotia (University of Louisiana at Lafayette, USA)
Arun Lakhotia presented

Arun explained how this project emerged from a past project of detecting malicious behavior. Here they are taking a new approach using IDA Pro, using model checking. While there had been 50 years of code analysis, it had been mostly for benign purposes. Looking at the typical analysis pipelines, he identified the disassemble/extract procedures, extracting the control and data flow, verifying the properties found and the certification/reject process after a check with a database. The technique is by no means hardened, as there are silent failures. Motivated by obfuscation of malware, there are some techniques to deobfuscate calls (doc) and to reverse self-transformations (unmorph). All results are patent pending. He then described VSA (Value State Analysis?) and Reduced Interval Congruence (RIC), which tracks the states/ranges of memory registers (e.g. eax). The operations supported are add, sub, and mov, but not mul or div, which are considered hard.

The tool then annotates obfuscations in IDA Pro, as he showed in one screenshot from his prototype. The current shortcomings are limited memory support, exponential growth for the path to each instruction, the control flow graph grows with each branch, and limited structure exception handling.

Hybrid Engine for Polymorphic Shellcode Detection
Udo Payer, Peter Teufl, and Mario Lamberger (Institute of Applied Information Processing and Communications, Austria)
Udo Payer presented

Udo explained that this engine was part of POSITIF (Policy-based security tools and framework), which is funded with European Commission supoort. He presented the detection engine, which is structured in 3 phases, the phase 1 nop zone detection (simple - searches for consecutive nop bytes, taken from admmutate/clet), phase 2 execution chain evaluation (disassembles the bytestream after nop zone, decreases noise, stores encryption keys, ignores junk bytes, and get instructions used by decryption engines), and the phase 3 neural network classfication (29 input neurons - 29 features, 12 hidden layer neurons, and 1 output neuron - training using Levenberg). The neural network classification is done as a snort plugin. They looked at different shellcode engines (XOR, TEA). For results, they trained the engine with 2000 positive examples, and 9 GB of negative data. There were only 24 false positives in 4 months. He claimed that the engine can be trained on new polymorphic shellcode engines without in-depth knowledge, and that it could detect shellcode engines not used during the training process.

For further work, they are looking at unsupervised learning, other methods for phase 2, automatic feature selection. Currently this detection engine is implemented as a prototype only.

Session 3: Vulnerability Assessment and Exploit Analysis (Session chair: Giovanni Vigna)

Automatic Detection of Attacks on Cryptographic Protocols: A Case Study
Ivan Cibrario B., Luca Durante, Riccardo Sisto, and Adriano Valenzano (Politecnico di Torino, Italy)
Riccardo Sisto presented

Riccardo presented a case study on detection of attacks on cryptographic protocols. He used S^3A, built on Abadi's Spi Calculus (1998). Being untyped, this technique allows the detection of type flaw attacks. The typical goals are secrecy and authenticity, based on testing equivalence verification of spi calculus specifications using state space exploration. There are state transition models, attack information, and intruder specifications. The main features of S^3A are the automatic check, symbolic representation of messages, and the enhanced performance (state space explosion) by reduction based on partial orders and symmetries. Riccardo looked at a reduced version of the Yahalom protocol, where S^3A found a type flaw attack. His verification method finds previously unknown type flaw attacks. S^3A was also able to find other attacks found by the usual suspects (Isabelle, BAN, etc.). S^3A was not used (attendee question) to verify the Needham-Schroeder, or Needham-Schroeder-Lowe protocols). This talk did not quite fit the other talks, being the most theoretical one.

Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone
Thomas Dubendorfer, Arno Wagner, Theus Hossmann, and Bernhard Plattner (ETH Zurich, Switzerland)
Thomas Dubendorfer presented

Thomas' motivation for the worm analysis was: a basis for R&D, worm detection, effective countermeasures, and to understand its impact. For this research, worm code was used in testbeds and its flows recorded there and also in the Swiss SWITCH backbone network (AS559). Related to Arno Wagner's DDoSVax project, this project looked at Cisco Netflow v5 information to analyze various stages of the worm (A through E, from initial contact to ultimate infection) and their visibility on the SWITCH network. They were able to identify various multi-stage worm attacks, their success and failure to infect (many graphs were shown), narrow down candidates for a patient zero, and observe delay between internal and external (with respect to the backbone) infection.

At 17GB/day and 6TB/year of data, they are looking at long-term analysis (and storage, of course) beyond that of Blaster and Sobig, and at algorithms for worm detection.

METAL - A Tool for Extracting Attack Manifestations
Ulf Larson, Emilie Lundin-Barse, and Erland Jonsson (Chalmers University of Technology, Sweden)
Ulf larson presented

Ulf presented a framework for extracting attack manifestations from log data using the METAL tool. Faced with the difficulty of discriminating between benign and malicious activity, they resort to the Lundin-Barse (one of the co-authors) 8-step framework. One of the steps (step 5) requires (human?) comparison between logs of normal operation with logs captured during an attack. METAL automates this step: based on input data (logs, sanitizing rules) and action components (preprocessors, sanitizer, process matcher, extractor), it yields output data (manifestation reports, attack overview, and a relationship tree) that can eventually be used by other frameworks or tools. The types of output data include alternate program flows, use of resources, etc. If a process has been slightly changed, a manifestation is generated. Reduced work that took weeks (manually) to about an hour: found 5 attacks, including 3 that had been extracted manually beforehand.

GI SIDAR meetings

As the conclusion of the first day, Ulrich Flegel (University of Dortmund, Germany) presented an overview of the German Informatics Society special interest group SIDAR, one of the sponsors and organizers of the conference.

Day 2: July 8, 2005

Session 4: Anomaly Detection (Session chair: Ulrich Flegel)

A Learning-Based Approach to the Detection of SQL Attacks
Fredrik Valeur, Darren Mutz, and Giovanni Vigna (UC Santa Barbara, USA)
Giovanni Vigna presented

Giovanni presented his work on detection of SQL attacks, focusing on user password resetting, parallel password guessing, and cross-site scripting, on a standard LAMP installation (Linux, Apache, MySQL, PHP). Closely related works are: S. Lee, ESORICS 2002 "Learning Fingerprints for a db IDS", Halfond et al, ICSE Workshop on Dynamic Analysis 2005, "Combining Static Analysis and Runtime Monitoring to Counter SQL-injection attacks" and some commercial tools (but difficult to compare since they are not open, such as Imperva's Securesphere).

The authors looked at detection models based on: string length, string character distribution, and string prefix, suffix etc. The detection tool was evaluated against a real-world application and real novel attacks. Detection rate and false positive rates are satisfactory (0.37% false positive, lower by customizing). The tool is comparable to appShield, but again difficult to compare since there is no available information on it.

Planned work: more testing, and integration with webAnomaly and sysAnomaly.

Masquerade Detection via Customized Grammars
Mario Latendresse (Volt Services/Northrop Grumman, FNMOC U.S. Navy, USA)

Mario presented an algorithm for efficiently detecting a masquerade, an intruder pretending to be a legitimate Unix user. By using the Schonlau datasets (behavioral, 70 users, 50 users as victims, 20 as intruders, 5000 commands for each legitimate user), looked at what is legitimate and what is considered a masquerade, taking into consideration that shared scripts will cause repeated sequences among users. His Sequitur algorithm detects such nestings efficiently (linear complexity), with the highest detection rate on the Schonlau datasets. Computational cost is low, so it can be used in real time. However, the Schonlau data doesn't contain the parameters to the commands, nor does it consider the timings, so the approach is a bit unrealistic for now. He plans to generalize it to system calls.

A Prevention Model for Algorithmic Complexity Attacks
Suraiya Khan and Issa Traore (University of Victoria, Canada) Issa Traore presented

Issa explained that this model is part of the SPIDeR project (network anomaly detectors, host anomaly detectors), with focus on DoS components, in particular the resource exhaustion part, motivated by economic reasons. The goal is to develop a prevention mechanism against complexity attacks, and to improve upon Crosby's work (USENIX Security 2003). For the authors, the impact of this kind of attack is the response time (which is waiting time plus service time). While Gligor has looked at waiting time, Traore wants to look at service time. Possible detection principles rely on input size, the likelihood of the service time, and the temporal density of less likely input.

The prevention model works as follows: computer execution time and drop probability in case the request doesn't finish in time. Most likely service times are computed using regression analysis. Detection principle: nonconforming request: test request has consumed more than the conservative most likely time but did not finish yet, then it is a prabable attack.

Evaluation was done with a Pentium 350 MHz, Fedora Core, using offline analysis (regression) and runtime analysis (process data), and yielding various results depending on deterministic vs. randomized algorithm, and the respective scenarios.

Session 6: Distributed Intrusion Detection and Testing (Session chair: Hartmut Konig)

Enhancing the Accuracy of Network-based Intrusion Detection with Host-based Context
Holger Dreger (Technical University Munich, Germany), Christian Kreibich (University of Cambridge, UK), Vern Paxson (ICSI and LBNL, USA), and Robin Sommer (Technical University Munich, Germany)
Robin Sommer presented

Motivated by the shortcomings in network-based and host-based intrusion detection systems, the authors propose to combine the two approaches. While a server application can analyze input, the network-based intrusion detection system (NIDS) analyzes all connections. It would be great if the NIDS could verify its findings against the host's, so enable the host to send information to the NIDS. Robin showed an integration of host-based context into Bro, implemented for Apache and Bro. Since Bro and Apache do URL rewriting differently, this allows elimination of uninteresting matches. It has low impact on the server (455 bytes per request), so it scales well. Host context can supplement or replace analysis. The next step will be to instrument sshd, since that allows feeding of unencrypted host-context to the NIDS.

TCPtransform: Property-Oriented TCP Traffic Transformation
Seung-Sun "Gary" Hong, Fiona Wong, S. Felix Wu (UC Davis, USA), Bjorn Lilja, Tony Y. Jansson, Henric Johnson, and Arne Nelsson (Blekinge Institute of Technology, Sweden)
Presented by Gary Hong

TCPtransform (offline version of TCPopera), is a trace-based replay tool, motivated by traffic testing for security products, in-line devices, IPS, firewalls, and routers. The goal is to replay traffic captured from the Minos honeypot on DETER, which UC Davis participates in. The design goals are to do property-oriented trace replaying: extract traffic parameters from input trace records, adjust traffic parameters, and feed new traffic parameters to input packet sequences. The TCPtransform components include flow preprocessors, UP flow processors, traffic models, TCP functions, and packet injections/capturing. It was validated using the DARPA IDEVAL99 (first 12 hours of 3/29/99) dataset. In the future, they hope to port it to DETER, adding new TCP/UDP models

Session 7: Industry Session (Session chair: Marc Heuse)

Note: this session contained presentations only. No papers exist for these.

Implementation of Honeytoken Module in DBMS Oracle 9iR2 Enterprise Edition for Internal Malicious Activity Detection
Antanas Cenys, Darius Rainys, Lukas Radvilavicius (Informtion Systems Laboratory, Lithuania), and Nikolaj Goranin (Vilnius Gediminas Technical University, Lithuania)
Antanas Cenys presented

After being (falsely) introduced as being from Louisiana, Antanas gave us an extra overview of Lithuania, information security there (growing interest due to incidents). While his Vilnius research group participates in the EURECOM/Leurre honeypot project, his interest is in "lures" or "honeytokens" used in the context of a database. Use of these "tokens" shows that the database has been compromised. Nothing new here.

Function Call Tracing Attacks To Kerberos 5
Julian Rrushi and Emilia Rosti (Universita degli Studi di Milano, Italy)
Julian Rrushi presented

Julian talked about his experiences in function call tracing, through interposition libraries (binaries were not modified). For Kerberos, one could attach to the Kerberos process.

Combining IDS and Honeynet Methods for Improved Detection and Automatic Isolation of Compromised Systems
Stephan Riebach, Birger Toedtmann, and Erwin Rathgeb (University Duisburg-Essen, Germany)
Stephan Riebach presented

Due to the impact of intrusion response (self-inflicted DoS), the authors look at isolating hosts rather than disabling them via an automated mechanism. Later the hosts can he rehabilitated. Current prototype has limitations as it can handle only one system at a time and one broadcast domain. Skype currently produces false positives and can be used to trigger isolations.

The conference adjourned.