Automated Attacker Correlation for Malicious Code

Abstract

Correlating attacks can be specifically problematic in the digital domain. It is a common scenario that the only real "trace" of an attack that can be obtained is executable code. As such, executable code of malicious software forms one of the primary pieces of evidence that need to be examined in order to establish correlation between seemingly independent events/attacks. Due to the high technical sophistication required for building advanced and stealthy persistent backdoors ("rootkits"), it is quite common for code fragments to be re-used. A big obstacle to performing proper correlation between different executables is the high degree of variability which the compiler introduces when generating the final byte sequences. This paper presents the results of research on executable code comparison for attacker correlation. Instead of pursuing a byte-based approach, a structural approach is chosen. The result is a system that can identify code similarities in executables with accuracy that often exceeds that of a human analyst and at much higher speed.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Mar 22, 2010
Accession Number
ADA546372

Entities

People

  • Ero Carrera
  • Sebastian Porst
  • Soeren-meyer Eppler
  • Thomas Dullien

Tags

DTIC Thesaurus Topics

  • Algorithms
  • Case Studies
  • Coding
  • Compilers
  • Computer Programs
  • Computers
  • Control Systems
  • Databases
  • Device Drivers
  • Disassembly
  • Instructions
  • Malware
  • Numbers
  • Operating Systems
  • Real Numbers
  • Trees (Data Structures)
  • Vector Spaces

Fields of Study

  • Computer science
  • Engineering

Readers

  • Computer Programming and Software Development.
  • Cybersecurity.
  • Systems Analysis and Design