Pattern Mining for Future Attacks

Prasad Naldurg

Abstract:

Malware writers are constantly looking for new vulnerabilities in popular software applications to exploit for profit, and discovering such a flaw is literally equivalent to finding a gold mine. When a completely new vulnerability is found, and turned into what are called Zero Day attacks, they can often be critical and lead to data loss or breach of privacy. Zero Day vulnerabilities, by their very nature are notoriously hard to find, and the odds seem to be stacked in favour of the attacker. However, before a Zero Day attack is discovered, attackers stealthily test different payload delivery methods and their obfuscated variants, in an attempt to outsmart anti-malware protection, with varying degrees of success. Evidence of such failed attempts, if any, are available on the victim machines, and the challenge is to discover their signatures before they can be turned into exploits. We focus on Javascript files, and using a combination of pattern mining and learning, effectively find two new Zero Day vulnerabilities in Microsoft Internet Explorer, using code collected between June and November 2009. Joint work with Sandeep Karanth, Srivatsan Laxman, Ramarathnam Venkatesan, Jinwook Shin, and J. Lambert.

Bio:

Prasad Naldurg is a Researcher in the Cryptography Security and Applied Mathematics (CSAM) group at Microsoft Research India. His research interests span a variety of topics in security and applied cryptography, including design and verification of access control systems, programming language security, cryptographic protocols, software protection and anti-piracy, with a particular focus on formal methods and logic. He has published over 25 papers in top conferences and workshops including CCS and Usenix Security, and he has recently been on the program committee of WWW, CCS, Policy and ICISS. He obtained his Ph.D in Computer Science from the University of Illinois at Urbana-Champaign in 2005.

Time and Place

May 17 2010 (Monday) at 1630 hrs
Gates 4B (opposite 490)