Person:

Lee, Wenke

Permanent Link

https://hdl.handle.net/1853/71448

Associated Organization(s)

Organizational Unit

School of Computer Science

Full item page

Publication Search Results

Now showing 1 - 10 of 10

Evaluating Bluetooth as a Medium for Botnet Command and Control

(Georgia Institute of Technology, 2009) Jain, Nehil ; Lee, Wenke ; Sangal, Samrit ; Singh, Kapil ; Traynor, Patrick

Malware targeting mobile phones is being studied with increasing interest by the research community. While such attention has previously focused on viruses and worms, many of which use near-field communications in order to propagate, none have investigated whether more complex malware such as botnets can effectively operate in this environment. In this paper, we investigate the challenges of constructing and maintaining mobile phone-based botnets communicating nearly exclusively via Bluetooth. Through extensive large-scale simulation based on publicly available Bluetooth traces, we demonstrate that such a malicious infrastructure is possible in many areas due to the largely repetitive nature of human daily routines. In particular, we demonstrate that command and control messages can propagate to approximately 2/3 of infected nodes within 24 hours of being issued by the botmaster. We then explore how traditional defense mechanisms can be modified to take advantage of the same information to more effectively mitigate such systems. In so doing, we demonstrate that mobile phone-based botnets are a realistic threat and that defensive strategies should be modified to consider them.
Rotalumè: A Tool for Automatic Reverse Engineering of Malware Emulators

(Georgia Institute of Technology, 2009) Sharif, Monirul I. ; Lanzi, Andrea ; Giffin, Jonathon ; Lee, Wenke

Malware authors have recently begun using emulation technology to obfuscate their code. They convert native malware binaries into bytecode programs written in a randomly generated instruction set and paired with a native binary emulator that interprets the bytecode. No existing malware analysis can reliably reverse this obfuscation technique. In this paper, we present the first work in automatic reverse engineering of malware emulators. Our algorithms are based on dynamic analysis. We execute the emulated malware in a protected environment and record the entire x86 instruction trace generated by the emulator. We then use dynamic data-flow and taint analysis over the trace to identify data buffers containing the bytecode program and extract the syntactic and semantic information about the bytecode instruction set. With these analysis outputs, we are able to generate data structures, such as control-flow graphs, that provide the foundation for subsequent malware analysis. We implemented a proof-of-concept system called Rotalumè and evaluated it using both legitimate programs and malware emulated by VMProtect and Code Virtualizer. The results show that Rotalumè accurately reveals the syntax and semantics of emulated instruction sets and reconstructs execution paths of original programs from their bytecode representations.
CAREER: adaptive intrusion detection systems

(Georgia Institute of Technology, 2008-10-31) Lee, Wenke
Emerging Cyber Threats Report for 2009

(Georgia Institute of Technology, 2008-10-15) Ahamad, Mustaque ; Amster, Dave ; Barrett, Michael ; Cross, Tom ; Heron, George ; Jackson, Don ; King, Jeff ; Lee, Wenke ; Naraine, Ryan ; Ollmann, Gunter ; Ramsey, Jon ; Schmidt, Howard A. ; Traynor, Patrick

On October 15, 2008, the Georgia Tech Information Security Center (GTISC) hosted its annual summit on emerging security threats and countermeasures affecting the digital world. At the conclusion of the event, GTISC released this Emerging Cyber Threats Report—outlining the top five information security threats and challengesfacing both consumer and business users in 2009. This year’s summit participants include security experts from the public sector, private enterprise and academia, reinforcing GTISC’s collaborative approach to addressing information security technology and policy challenges. "As one of the leading academic research centers focused on information security, GTISC believes strongly that a proactive and collaborative approach to understanding emerging threats will help us develop more effective information security technologies and strategies," said Mustaque Ahamad, director of GTISC. "The annual GTISC Security Summit on Emerging Cyber Security Threats and our annual Emerging Cyber Threats Report seek to give us a better understanding of the cyber security challenges we will face in the years ahead." GTISC research and advance interviews with key information security experts from government, industry and academia uncovered five specific trends and some profound questions that will drive threats and countermeasures in 2009 and beyond, including: Malware, Botnets, Cyber warfare, Threats to VoIP and mobile devices, and The evolving cyber crime economy. In an effort to inform the broader community about current and future risks, this report will describe each emerging threat, existing or potential countermeasures, and how the threat may evolve in the coming year. In addition, our experts will offer their opinion on the role that Internet security education and regulation may play in further preventing the spread of cyber crime.
The 2008 GTISC Security Summit - Emerging Cyber Security Threats

(Georgia Institute of Technology, 2008-10-15) Ahamad, Mustaque ; Goodman, Seymour E. ; Rouland, Christopher Jay ; Elder, Robert J., Jr. ; Kwon, Mischel ; Lee, Wenke ; Moore, Morris ; Noonan, Thomas E. ; Ramsey, Jon ; Ransome, James ; Thompson, Heath

Welcome address by Mustaque Ahamad, Director, Georgia Tech Information Security Center, Professor, College of Computing. Opening remarks by Sy Goodman, Professor and Co-Director, Center for International Strategy, Technology, and Policy ; Chris Rouland, Adjunct Lecturer College of Computing. Introduction by Tom Noonan, former chairman, president and chief executive officer of Internet Security Systems, Inc. Keynote address: Global Operations and Mission Assurance in a Contested Cyber Environment by Lt. General Robert J. Elder, Jr., Commander Eighth Air Force, Barksdale Air Force Base. Panel Discussions: Moderator: Thomas E. Noonan, Entrepreneur ; Mischel Kwon, Director, United States Computer Emergency Readiness Team; National Cyber Security Division, U.S. Department of Homeland Security ; Wenke Lee, Associate Professor, Georgia Tech Information Security Center ; Morris Moore, Vice President of Security Technology, Motorola's Applied Research and Technology Center ; Jon Ramsey, Chief Technology Officer, SecureWorks ; Jim Ransome, Senior Director, Secure Unified Wireless and Mobility Solutions Corporate Security Programs and Global Government Solutions, Cisco ; Heath Thompson, Director, Product Development, IBM/Internet Security Systems
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic

(Georgia Institute of Technology, 2005) Kolesnikov, Oleg ; Lee, Wenke

Normal traffic can provide worms with a very good source of information to camouflage themselves. In this paper, we explore the concept of polymorphic worms that mutate based on normal traffic. We assume that a worm has already penetrated a system and is trying to hide its presence and propagation attempts from an IDS.We focus on stealthy worms that cannot be reliably detected by increases in traffic because of their low propagation factor.We first give an example of a simple polymorphic worm. Such worms can evade a signature-based IDS but not necessarily an anomaly-based IDS. We then show that it is feasible for an advanced polymorphic worm to gather a normal traffic profile and use it to evade an anomaly-based IDS.We tested the advanced worm implementation with three anomaly IDS approaches: NETAD, PAYL and Service-specific IDS. None of the three IDS approaches were able to detect the worm reliably. We found that the mutated worm can also evade other detection methods, such as the Abstract Payload Execution. The goal of this paper is to advance the science of IDS by analyzing techniques polymorphic worms can use to hide themselves. While future work is needed to present a complete solution, our analysis can be used in designing possible defenses. By showing that polymorphic worms are a practical threat, we hope to stimulate further research to improve existing IDS.
An Information-Theoretic Measure of Intrusion Detection Capability

(Georgia Institute of Technology, 2005) Gu, Guofei ; Fogla, Prahlad ; Dagon, David ; Lee, Wenke ; Skoric, Boris

A fundamental problem in intrusion detection is what metric(s) can be used to objectively evaluate an intrusion detection system (IDS) in terms of its ability to correctly classify events as normal or intrusion. In this paper, we provide an in-depth analysis of existing metrics. We argue that the lack of a single unified metric makes it difficult to fine tune and evaluate an IDS. The intrusion detection process can be examined from an information-theoretic point of view. Intuitively, we should have less uncertainty about the input (event data) given the IDS output (alarm data). We thus propose a new metric called Intrusion Detection Capability, C[subscript ID], which is simply the ratio of the mutual information between IDS input and output, and the entropy of the input. C[subscript ID] has the desired property that: (1) it takes into account all the important aspects of detection capability naturally, i.e., true positive rate, false positive rate, positive predictive value, negative predictive value, and base rate; (2) it objectively provide an intrinsic measure of intrusion detection capability; (3) it is sensitive to IDS operation parameters. We propose that C[subscript ID] is the appropriate performance measure to maximize when fine tuning an IDS. The thus obtained operation point is the best that can be achieved by the IDS in terms of its intrinsic ability to classify input data. We use numerical examples as well as experiments of actual IDSs on various datasets to show that using C[subscript ID], we can choose the best (optimal) operating point for an IDS, and can objectively compare different IDSs.
Simulating Internet Worms

(Georgia Institute of Technology, 2004-10) Riley, George F. ; Sharif, Monirul I. ; Lee, Wenke

The accurate and efficient modeling of Internet worms is a particularly challenging task for network simulation tools. The atypical and aggressive behavior of these worms can easily consume excessive resources, both processing time and storage, within a typical simulator. In particular, the selection of random IP addresses, and the sending of packets to the selected hosts, even if they are non–existent or not modeled in the simulation scenario, is challenging for existing network simulation tools. Further, the computation of routing information for these randomly chosen target addresses defeats most caching or on–demand routing methods, resulting in substantial overhead in the simulator. We discuss the design of our Internet worm models in the Georgia Tech Network Simulator, and show how we addressed these issues.We present some results from our Internet worm simulations that show the rate of infection spread for a typical worm under a variety of conditions.
Hardware Supported Anomaly Detection: down to the Control Flow Level

(Georgia Institute of Technology, 2004-03-10) Zhang, Tao ; Zhuang, Xiaotong ; Pande, Santosh ; Lee, Wenke

Modern computer systems are plagued with security flaws, making them vulnerable to various malicious attacks. Intrusion detection systems have been proposed to protect computer systems from unauthorized penetration. Detecting an attack early on pays off since further damage is avoided and resilient recovery could be adopted. An intrusion detection system monitors dynamic program behavior against normal program behavior and raises an alert when anomaly is detected. The normal behaviour is learnt by the system through training and profiling. However, all current intrusion detection systems are purely software based and thus suffer from huge performance degradation due to constant monitoring operations inserted in the application code. Due to the potential performance overhead, software based solutions cannot monitor the program behavior at a very fine level of granularity, thus leaving potential security holes as shown in [5]. In this paper, we propose a hardware-based approach to verify the control flow of target applications dynamically and to detect anomalous executions. With hardware support, our approach offers multiple advantages over software based solutions including near zero performance degradation, much stronger detection capability (a larger variety of attacks get detected) and zero-latency reaction upon anomaly and thus much better security.
Worm Detection Using Local Networks

(Georgia Institute of Technology, 2004) Qin, Xinzhou ; Dagon, David ; Gu, Guofei ; Lee, Wenke

The need for a global monitoring system for Internet worm detection is clear. Likewise, the need for local detection and response is also obvious. In this study, we used a large data set to review some of the worm monitoring and detection strategies proposed for large networks, and found them difficult to apply to local networks. In particular, the Kalman filter and victim number-based approaches proved unsuitable for smaller networks. They are of course appropriate for large systems, but what work well for local networks? We propose two algorithms tailored for local network monitoring needs. First, the Destination Source Correlation (DSC) algorithm focuses on the infection relation, and tracks real infected hosts (and not merely scans) to provide an accurate response. Second, the HoneyStat system provides a way to track the short-term infection behavior used by worms. Potentially, this provides a basis for statistical inference about a worm’s behavior on a network.