Results 1 -
2 of
2
Kizzle: A Signature Compiler for Detecting Exploit Kits
"... Abstract-In recent years, the drive-by malware space has undergone significant consolidation. Today, the most common source of drive-by downloads are the so-called exploit kits (EKs). This paper presents Kizzle, the first prevention technique specifically designed for finding exploit kits. Our anal ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract-In recent years, the drive-by malware space has undergone significant consolidation. Today, the most common source of drive-by downloads are the so-called exploit kits (EKs). This paper presents Kizzle, the first prevention technique specifically designed for finding exploit kits. Our analysis shows that while the JavaScript delivered by kits varies greatly, the unpacked code varies much less, due to the kits authors' code reuse between versions. Ironically, this well-regarded software engineering practice allows us to build a scalable and precise detector that is able to quickly respond to superficial but frequent changes in EKs. Kizzle is able to generate anti-virus signatures for detecting EKs, which compare favorably to manually created ones. Kizzle is highly responsive and can generate new signatures within hours. Our experiments show that Kizzle produces high-accuracy signatures. When evaluated over a four-week period, false-positive rates for Kizzle are under 0.03%, while the false-negative rates are under 5%.
Similarity-based matching meets Malware Diversity
"... Abstract: Similarity metrics, e.g., signatures as used by anti-virus products, are the dominant tech-nique to detect if a given binary is malware. The underlying assumption of this approach is that all instances of a malware (or even malware family) will be similar to each other. Software diversific ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract: Similarity metrics, e.g., signatures as used by anti-virus products, are the dominant tech-nique to detect if a given binary is malware. The underlying assumption of this approach is that all instances of a malware (or even malware family) will be similar to each other. Software diversification is a probabilistic technique that uses code and data randomization and expres-siveness in the target instruction set to generate large amounts of functionally equivalent but different bina-ries. Malware diversity builds on software diversity and ensures that any two diversified instances of the same malware have low similarity (according to a set of similarity metrics). An LLVM-based proto-type implementation diversifies both code and data of binaries and our evaluation shows that signatures based on similarity only match one or few instances in a pool of diversified binaries generated from the same source code. 1
