Lecture Notes in Computer Science 5587 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany
Ulrich Flegel Danilo Bruschi (Eds.) Detection of Intrusions and Malware, and Vulnerability Assessment 6th International Conference, DIMVA 2009 Como, Italy, July 9-10, 2009 Proceedings 13
Volume Editors Ulrich Flegel SAP Research Center Karlsruhe Karlsruhe, Germany E-mail: ulrich.flegel@sap.com Danilo Bruschi Università degli Studi di Milano Dipartimento di Informatica e Comunicazione Milano, Italy E-mail: bruschi@dico.unimi.it Library of Congress Control Number: Applied for CR Subject Classification (1998): E.3, K.6.5, K.4, C.2, D.4.6 LNCS Sublibrary: SL 4 Security and Cryptology ISSN 0302-9743 ISBN-10 3-642-02917-5 Springer Berlin Heidelberg New York ISBN-13 978-3-642-02917-2 Springer Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12716173 06/3180 543210
Preface On behalf of the Program Committee, it is our pleasure to present the proceedings of the 6th GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Since 2004, DIMVA annually brings together leading researchers and practitioners from academia, government and industry to present and discuss novel security research. DIMVA is organized by the Special Interest Group Security Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI). The DIMVA 2009 Program Committee received 44 submissions from industrial and academic organizations from 17 different countries. Each submission was carefully reviewed by at least three Program Committee members or external experts. The submissions were evaluated on the basis of scientific novelty, importance to the field and technical quality. The final selection took place at the Program Committee meeting held on March 23, 2009, in Brussels, Belgium. Ten full papers and three extended abstracts were selected for presentation and publication in the conference proceedings. The conference took place during July 9 10, 2009, at Villa Gallia, Lake Como, Italy, with the program grouped into five sessions. Two keynote speeches were presented by Richard A. Kemmerer (University of California, Santa Barbara) and Henry Stern (Ironport / Cisco). The conference program was complemented by the Capture-the-Flag contest CIPHER (Challenges in Informatics: Programming, Hosting and ExploRing) organized by Lexi Pimenidis (idev GmbH) and a rump session organized by Sven Dietrich (Stevens Institute of Technology). A successful conference is the result of the joint effort of many people. In particular, we would like to thank all the authors who submitted contributions. We also thank the Program Committee members and the additional reviewers for their hard work and diligent evaluation of the submissions. In addition we thank Thorsten Holz (University of Mannheim) for sponsor arrangements and Sebastian Schmerl (Technical University of Cottbus) for advertising the conference. July 2009 Ulrich Flegel Danilo Bruschi
Organization DIMVA was organized by the Special Interest Group Security Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI). Organizing Committee General Chair Program Chair Rump Session Chair Sponsorship Chair Publicity Chair Danilo M. Bruschi, Università degli Studi di Milano, Italy Ulrich Flegel, SAP Research Sven Dietrich, Stevens Institute of Technology, USA Thorsten Holz, University of Mannheim, Germany Sebastian Schmerl, Technical University of Cottbus, Germany Program Committee Thomas Biege Gunter Bitz Herbert Bos Danilo Bruschi Roland Büschkes Marc Dacier Hervé Debar Sven Dietrich Toralv Dirro Thomas Dullien Bernhard Hämmerli Marc Heuse Thorsten Holz Erland Jonsson Klaus Julisch Engin Kirda Christian Kreibich Christopher Kruegel Pavel Laskov Wenke Lee Javier Lopez Novell, Germany SAP AG, Germany Vrije Universiteit Amsterdam, The Netherlands Università degli Studi di Milano, Italy RWE IT, Germany Symantec Research Labs Europe, France France Télécom R&D, France Stevens Institute of Technology, USA McAfee Avert Labs, Germany Zynamics, Germany Acris GmbH and HSLU Lucerne, Switzerland Baseline Security Consulting, Germany University of Mannheim, Germany Chalmers University of Technology, Sweden IBM Zurich Research Laboratory, Switzerland Eurecom, France International Computer Science Institute, USA UC Santa Barbara, USA University of Tuebingen, Germany Georgia Institute of Technology, USA University of Malaga, Spain
VIII Organization John McHugh Michael Meier George Mohay Martin Rehák Konrad Rieck Sebastian Schmerl Robin Sommer Salvatore Stolfo Peter Szor Bernhard Thurm Al Valdes UNC and Dalhousie University, Canada Technical University of Dortmund, Germany Queensland University of Technology, Australia Czech Technical University in Prague, Czech Republic Berlin Institute of Technology, Germany BTU-Cottbus, Germany ICSI/LBNL, USA Columbia University, USA Symantec Corporation, USA SAP Research, Germany SRI International, USA Additional Reviewers Martin Apel Marco Balduzzi Ulrich Bayer Armin Büscher Patrick Duessel Manuel Egele Christian Gehl Cristian Grozea Grégoire Jacob Wolfgang John Matthias Kohler Tammo Krueger Lorenzo Martignoni Tomas Olovsson Emanuele Passerini Pratap Prabhu Guido Schwenk Asia Slowinska Steering Committee Chairs Members Ulrich Flegel, SAP Research Michael Meier, Technical University of Dortmund, Germany Roland Büschkes, RWE IT Hervé Debar,FranceTélécom R & D, France Bernhard Hämmerli, Acris GmbH and HSLU Lucerne, Switzerland Marc Heuse, Baseline Security Consulting Klaus Julisch, IBM Zurich Research Lab, Switzerland Christopher Kruegel, UC Santa Barbara, USA Pavel Laskov, University of Tuebingen, Germany Robin Sommer, ICSI/LBNL Diego Zamboni, IBM Zurich Research Lab, Switzerland
Table of Contents Malware and SPAM A Case Study on Asprox Infection Dynamics... 1 Youngsang Shin, Steven Myers, and Minaxi Gupta How Good Are Malware Detectors at Remediating Infected Systems?... 21 Emanuele Passerini, Roberto Paleari, and Lorenzo Martignoni Towards Proactive Spam Filtering (Extended Abstract)... 38 Jan Göbel, Thorsten Holz, and Philipp Trinius Emulation-Based Detection Shepherding Loadable Kernel Modules through On-demand Emulation... 48 Chaoting Xuan, John Copeland, and Raheem Beyah Yataglass: Network-Level Code Emulation for Analyzing Memory-Scanning Attacks... 68 Makoto Shimamura and Kenji Kono Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks... 88 Manuel Egele, Peter Wurzinger, Christopher Kruegel, and Engin Kirda Software Diversity Polymorphing Software by Randomizing Data Structure Layout... 107 Zhiqiang Lin, Ryan D. Riley, and Dongyan Xu On the Effectiveness of Software Diversity: A Systematic Study on Real-World Vulnerabilities... 127 Jin Han, Debin Gao, and Robert H. Deng Harnessing Context Using Contextual Information for IDS Alarm Classification (Extended Abstract)... 147 François Gagnon, Frédéric Massicotte, and Babak Esfandiari
X Table of Contents Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications... 157 Ting-Fang Yen, Xin Huang, Fabian Monrose, and Michael K. Reiter A Service Dependency Modeling Framework for Policy-Based Response Enforcement... 176 Nizar Kheir, Hervé Debar, Frédéric Cuppens, Nora Cuppens-Boulahia, and Jouni Viinikka Anomaly Detection Learning SQL for Database Intrusion Detection Using Context-Sensitive Modelling (Extended Abstract)... 196 Christian Bockermann, Martin Apel, and Michael Meier Selecting and Improving System Call Models for Anomaly Detection... 206 Alessandro Frossi, Federico Maggi, Gian L. Rizzo, and Stefano Zanero Author Index... 225