skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Methods, media, and systems for detecting attack on a digital processing device

Abstract

Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document;more » and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.« less

Inventors:
; ; ;
Publication Date:
Research Org.:
Pacific Northwest National Laboratory (PNNL), Richland, WA (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1344482
Patent Number(s):
9,576,127
Application Number:
14/336,649
Assignee:
The Trustees of Columbia University in the City of New York
DOE Contract Number:  
AC05-76RL01830
Resource Type:
Patent
Resource Relation:
Patent File Date: 2014 Jul 21
Country of Publication:
United States
Language:
English
Subject:
99 GENERAL AND MISCELLANEOUS; 97 MATHEMATICS AND COMPUTING

Citation Formats

Stolfo, Salvatore J., Li, Wei-Jen, Keromytis, Angelos D., and Androulaki, Elli. Methods, media, and systems for detecting attack on a digital processing device. United States: N. p., 2017. Web.
Stolfo, Salvatore J., Li, Wei-Jen, Keromytis, Angelos D., & Androulaki, Elli. Methods, media, and systems for detecting attack on a digital processing device. United States.
Stolfo, Salvatore J., Li, Wei-Jen, Keromytis, Angelos D., and Androulaki, Elli. 2017. "Methods, media, and systems for detecting attack on a digital processing device". United States. https://www.osti.gov/servlets/purl/1344482.
@article{osti_1344482,
title = {Methods, media, and systems for detecting attack on a digital processing device},
author = {Stolfo, Salvatore J. and Li, Wei-Jen and Keromytis, Angelos D. and Androulaki, Elli},
abstractNote = {Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.},
doi = {},
url = {https://www.osti.gov/biblio/1344482}, journal = {},
number = ,
volume = ,
place = {United States},
year = {Tue Feb 21 00:00:00 EST 2017},
month = {Tue Feb 21 00:00:00 EST 2017}
}

Works referenced in this record:

Automatic immune system for computers and computer networks
patent, August 1995


Optical scanning system for surface inspection
patent, June 2000


Prevention of software tampering
patent, January 2009


Correlation engine for detecting network attacks and detection method
patent, September 2011


System and Method for Detecting and Repairing Document-Infecting Viruses Using Dynamic Heuristics
patent-application, June 2002


Protocol-parsing state machine and method of using same
patent-application, January 2003


Method and apparatus for sociological data mining
patent-application, September 2003


Information reservoir
patent-application, June 2004


Network security apparatus and method
patent-application, January 2005


Technique for detecting executable malicious code using a combination of static and dynamic analyses
patent-application, May 2005


System and process for managing network traffic
patent-application, November 2005


Document genealogy
patent-application, December 2005


Apparatus method and medium for identifying files using n-gram distribution of data
patent-application, January 2006


Apparatus and method for detecting malicious code embedded in office document
patent-application, June 2006


Software self-defense systems and methods
patent-application, October 2007


Detecting suspicious embedded malicious content in benign file formats
patent-application, January 2008


Systems and methods for the prevention of unauthorized use and manipulation of digital content
patent-application, July 2008


Method and Apparatus for Deep Packet Inspection
patent-application, August 2008


Systems and Methods for Watermarking Software and Other Media
patent-application, September 2008


Method and Apparatus for Detecting Malware Infection
patent-application, July 2009


N-gram-based detection of new malicious code
conference, January 2004


Instance-based learning algorithms
journal, January 1991


Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses
book, January 2002


Randomized instruction set emulation to disrupt binary code injection attacks
conference, January 2003

  • Barrantes, Elena Gabriela; Ackley, David H.; Palmer, Trek S.
  • CCS '03 Proceedings of the 10th ACM conference on Computer and communications security, p. 281-289
  • https://doi.org/10.1145/948109.948147

Can machine learning be secure?
conference, January 2006

  • Barreno, Marco; Nelson, Blaine; Sears, Russell
  • ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security, p. 16-25
  • https://doi.org/10.1145/1128817.1128824

Space/time trade-offs in hash coding with allowable errors
journal, July 1970


Macro virus identification problems
journal, January 1998


Nearest neighbor pattern classification
journal, January 1967


The Mahalanobis distance
journal, January 2000


Deep packet inspection using parallel Bloom filters
conference, January 2003


Anomaly detection using call stack information
conference, January 2003


Evading network anomaly detection systems: formal reasoning and practical techniques
conference, January 2006


A sense of self for Unix processes
conference, January 1996


A linear space algorithm for computing maximal common subsequences
journal, June 1975


Malware phylogeny generation using permutations of code
journal, September 2005


Countering code-injection attacks with instruction-set randomization
conference, January 2003

  • Kc, Gaurav S.; Keromytis, Angelos D.; Prevelakis, Vassilis
  • CCS '03 Proceedings of the 10th ACM conference on Computer and communications security, p. 272-280
  • https://doi.org/10.1145/948109.948146

Honeycomb: creating intrusion detection signatures using honeypots
journal, January 2004


Polymorphic Worm Detection Using Structural Information of Executables
book, January 2006


Service specific anomaly detection for network intrusion detection
conference, January 2002


A Study of Malcode-Bearing Documents
book, January 2007


Fileprints: identifying file types by n-gram analysis
conference, January 2005


Fast and automated generation of attack signatures: a basis for building self-protecting servers
conference, January 2005


FLIPS: Hybrid Adaptive Intrusion Prevention
book, January 2006


Characterizing the behavior of a program using multiple-length N-grams
conference, January 2000


Content based file type detection algorithms
conference, January 2003


Polygraph: Automatically Generating Signatures for Polymorphic Worms
conference, January 2005


Paragraph: Thwarting Signature Learning by Training Maliciously
book, January 2006


Misleading worm signature generators using deliberate noise injection
conference, January 2006


Data mining methods for detection of new malicious executables
conference, January 2001


Specification-based anomaly detection: a new approach for detecting network intrusions
conference, January 2002


On the effectiveness of address-space randomization
conference, January 2004


A Dynamic Mechanism for Recovering from Buffer Overflow Attacks
book, January 2005


On the infeasibility of modeling polymorphic shellcode
conference, January 2007


Towards Stealthy Malware Detection
book, January 2007


"Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector
conference, January 2002


Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits
book, January 2002


Intrusion detection via static analysis
conference, January 2001


Mimicry attacks on host-based intrusion detection systems
conference, January 2002


Shield: vulnerability-driven network filters for preventing known vulnerability exploits
conference, January 2004

  • Wang, Helen J.; Guo, Chuanxiong; Simon, Daniel R.
  • Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, p. 193-204
  • https://doi.org/10.1145/1015467.1015489

Anomalous Payload-Based Network Intrusion Detection
book, January 2004


Anagram: A Content Anomaly Detector Resistant to Mimicry Attack
book, January 2006


Anomalous Payload-Based Worm Detection and Signature Generation
book, January 2006


SigFree: A Signature-Free Buffer Overflow Attack Blocker
journal, January 2010


Toward Automated Dynamic Malware Analysis Using CWSandbox
journal, March 2007