PoK

Author:Pan Wang,Peng Ning,Douglas S. Reeves

Description:
Anonymity is increasingly important for network applications concerning about censorship and privacy. The ex isting anonymous communication protocols generally system from mixnet and DC net. They either cannot provide provable anonymity or suer from transmission collision. In this paper, we introduce a novel approach which takes advantage of hierarchical ring structure and mix technique. This proposed protocol is collision free and provides provable k
anonymity for both the sender and the recipient, even if a polynomial time adversary can eavesdrop all network trafic and control a fraction of participants. Furthermore, it can hide the sender and the recipient from each other and thus can be used for anonymous ¯le sharing. The analysis shows the proposed protocol is secure against various at tacks. Measurements further demonstrate it is practical.

Author:Qinghua Zhang, Douglas S. Reeves, Peng Ning, S.Purushothaman Iyer

Description:
Remotely launched software exploits are a common way for attackers to intrude into vulnerable computer systems. As detection techniques improve, remote exploitation techniques are also evolving. Recent techniques for evasion f exploit detection include polymorphism (code encryption) and metamorphism (code obfuscation). This paper addresses the problem of detecting in network traffic polymorphic remote exploits that are encrypted, and that self decrypt before launching the intrusion. Such exploits pose a great challenge to existing malware detection techniques, partly due to the non obvious starting location of the exploit code in the network payload.We describe a new method for detecting self decrypting exploit codes. This method scans network traffic for the presence of a decryption routine, which is characteristic of such exploits. The proposed method uses static analysis and emulated instruction execution techniques. This improves the accuracy of determining the starting location and instructions of the decryption routine, even if self modifying code is used. The method outperforms approaches that have been previously proposed, both in terms of detection capabilities, and in detection accuracy. The proposed method has been implemented and tested on current polymorphic exploits, including ones generated by state of the art polymorphic engines. All exploits have been detected (i.e., a 100% detection rate), including those for which the decryption routine is dynamically coded, or self modifying. The false positive rate is close to 0%. Runningtime is approximately linear in the size of the network payload being analyzed.

Author:Yan Zhai, Peng Ning, Purush Iyer, Douglas S. Reeves

Description:
This paper presents techniques to integrate and reason about complementary intrusion evidence such as alerts generated by intrusion detection systems (IDSs) and reports by system monitoring or vulnerability scanning tools. To facilitate the modeling of intrusion evidence, this paper classifies intrusion evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or detections) of intrusive actions (e.g., IDS alerts),while state-based evidence refers to observations of the effects of intrusions on system states. Based on the interdependency between event-based and state-based evidence, this paper develops techniques to automatically integrate complementary evidence into Bayesian networks, and reasonabout uncertain or unknown intrusion evidence based on verified evidence. The experimental results in this paper demonstrate the potential of the proposed techniques. In particular, additional observations by system monitoring or vulnerability scanning tools can potentially reduce the false alert rate and increase the confidence in alerts corresponding to successful attacks.