Methods, media, and systems for detecting attack on a digital processing device

Title: Methods, media, and systems for detecting attack on a digital processing device

Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document;more »

Inventors:: Stolfo, Salvatore J.; Li, Wei-Jen; Keromytis, Angelos D.; Androulaki, Elli

Issue Date:: 2017-02-21

OSTI Identifier:: 1344482

Assignee:: The Trustees of Columbia University in the City of New York PNNL

Patent Number(s):: 9,576,127

Application Number:: 14/336,649

Contract Number:: AC05-76RL01830

Resource Relation:: Patent File Date: 2014 Jul 21

Research Org:: Pacific Northwest National Lab. (PNNL), Richland, WA (United States)

Sponsoring Org:: USDOE

Country of Publication:: United States

Language:: English

Subject:: 99 GENERAL AND MISCELLANEOUS; 97 MATHEMATICS AND COMPUTING

Full Text
View Full Text

Other works cited in this record:

Automatic immune system for computers and computer networks
patent, August 1995

Arnold, William; Chess, David; Kephart, Jeffrey
US Patent Document 5,440,723
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/5440723

Methods and apparatus for evaluating and extracting signatures of computer viruses and other undesirable software entities
patent, September 1995

Kephart, Jeffrey
US Patent Document 5,452,442
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/5452442

Parameterized bloom filters
patent, December 1997

Aucsmith, David
US Patent Document 5,701,464
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/5701464

Apparatus and method for electronic mail virus detection and elimination
patent, March 1999

Ji, Shuang; Chen, Eva; Liang, Yung-Chang
US Patent Document 5,889,943
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/5889943

Method of identifying data type and locating in a file
patent, November 1999

Shaner, Richard
US Patent Document 5,991,714
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/5991714

Optical scanning system for surface inspection
patent, June 2000

Leslie, Brian; Nikoonahad, Mehrdad; Wells, Keith
US Patent Document 6,081,325
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/6081325

Method and apparatus for detecting a macro computer virus using static analysis
patent, February 2004

Ko, Cheuk
US Patent Document 6,697,950
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/6697950

Authenticating executable code and executions thereof
patent, June 2007

Luo, Chenghui; Zhao, Jian
US Patent Document 7,236,610
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/7236610

Host-based detection and prevention of malicious code propagation
patent, January 2008

Szor, Peter
US Patent Document 7,325,185
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/7325185

Static code image modeling and recognition
patent, June 2008

Wells, Joseph
US Patent Document 7,389,538
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/7389538

Prevention of software tampering
patent, January 2009

Olson, Erik; Zinda, Eric
US Patent Document 7,478,233
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/7478233

Forecasting a volume associated with an outcome based on analysis of text strings
patent, February 2009

Brown, Philip; Goodall, Colin; Halasz, Sylvia
US Patent Document 7,493,233
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/7493233

Generating a hierarchical data structure associated with a plurality of known arbitrary-length bit strings used for detecting whether an arbitrary-length bit string input matches one of a plurality of known arbitrary-length bit string
patent, September 2010

Artan, Nabi Sertac; Chao, H. Jonathan
US Patent Document 7,805,460
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/7805460

Correlation engine for detecting network attacks and detection method
patent, September 2011

Shulman, Amichai; Boodaei, Mickey; Kremer, Shlomo
US Patent Document 8,024,804
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/8024804

Apparatus and method for removing malicious code inserted into file
patent, November 2013

Kim, Won Ho; Moon, Jung Hwan; Sohn, Ki Wook
US Patent Document 8,590,016
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/8590016

N-gram-based detection of new malicious code
conference, January 2004

Abou-Assaleh, T.; Cercone, N.; Keselj, V.
Computer Software and Applications Conference, 2004. COMPSAC 2004. Proceedings of the 28th Annual International
DOI: 10.1109/CMPSAC.2004.1342667

Instance-based learning algorithms
journal, January 1991

Aha, David W.; Kibler, Dennis; Albert, Marc K.
Machine Learning, Vol. 6, Issue 1, p. 37-66
DOI: 10.1007/BF00153759

Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses
book, January 2002

Apap, Frank; Honig, Andrew; Hershkop, Shlomo
Recent Advances in Intrusion Detection, p. 36-53
DOI: 10.1007/3-540-36084-0_3

Randomized instruction set emulation to disrupt binary code injection attacks
conference, January 2003

Barrantes, Elena Gabriela; Ackley, David H.; Palmer, Trek S.
CCS '03 Proceedings of the 10th ACM conference on Computer and communications security, p. 281-289
DOI: 10.1145/948109.948147

Can machine learning be secure?
conference, January 2006

Barreno, Marco; Nelson, Blaine; Sears, Russell
ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security, p. 16-25
DOI: 10.1145/1128817.1128824

Space/time trade-offs in hash coding with allowable errors
journal, July 1970

Bloom, Burton H.
Communications of the ACM, Vol. 13, Issue 7, p. 422-426
DOI: 10.1145/362686.362692

Macro virus identification problems
journal, January 1998

Bontchev, Vesselin
Computers & Security, Vol. 17, Issue 1, p. 69-89
DOI: 10.1016/S0167-4048(97)80275-1

Nearest neighbor pattern classification
journal, January 1967

Cover, T.; Hart, P.
IEEE Transactions on Information Theory, Vol. 13, Issue 1, p. 21-27
DOI: 10.1109/TIT.1967.1053964

The Mahalanobis distance
journal, January 2000

De Maesschalck, R.; Jouan-Rimbaud, D.; Massart, D. L.
Chemometrics and Intelligent Laboratory Systems, Vol. 50, Issue 1, p. 1-18
DOI: 10.1016/S0169-7439(99)00047-7

Deep packet inspection using parallel Bloom filters
conference, January 2003

Dharmapurikar, S.; Krishnamurthy, P.; Sproull, T.
High Performance Interconnects, 2003. Proceedings. 11th Symposium on
DOI: 10.1109/CONECT.2003.1231477

Anomaly detection using call stack information
conference, January 2003

Feng, H. H.; Kolesnikov, O. M.; Fogla, P.
Security and Privacy, 2003. Proceedings. 2003 Symposium on
DOI: 10.1109/SECPRI.2003.1199328

Evading network anomaly detection systems: formal reasoning and practical techniques
conference, January 2006

Fogla, Prahlad; Lee, Wenke
CCS '06 Proceedings of the 13th ACM conference on Computer and communications security, p. 59-68
DOI: 10.1145/1180405.1180414

A sense of self for Unix processes
conference, January 1996

Forrest, S.; Hofmeyr, S. A.; Somayaji, A.
Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on
DOI: 10.1109/SECPRI.1996.502675

A linear space algorithm for computing maximal common subsequences
journal, June 1975

Hirschberg, D. S.
Communications of the ACM, Vol. 18, Issue 6, p. 341-343
DOI: 10.1145/360825.360861

Malware phylogeny generation using permutations of code
journal, September 2005

Karim, Md. Enamul.; Walenstein, Andrew; Lakhotia, Arun
Journal in Computer Virology, Vol. 1, Issue 1-2, p. 13-23
DOI: 10.1007/s11416-005-0002-9

Countering code-injection attacks with instruction-set randomization
conference, January 2003

Kc, Gaurav S.; Keromytis, Angelos D.; Prevelakis, Vassilis
CCS '03 Proceedings of the 10th ACM conference on Computer and communications security, p. 272-280
DOI: 10.1145/948109.948146

Honeycomb: creating intrusion detection signatures using honeypots
journal, January 2004

Kreibich, Christian; Crowcroft, Jon
ACM SIGCOMM Computer Communication Review, Vol. 34, Issue 1, p. 51-56
DOI: 10.1145/972374.972384

Polymorphic Worm Detection Using Structural Information of Executables
book, January 2006

Kruegel, Christopher; Kirda, Engin; Mutz, Darren
Recent Advances in Intrusion Detection, p. 207-226
DOI: 10.1007/11663812_11

Service specific anomaly detection for network intrusion detection
conference, January 2002

Krügel, Christopher; Toth, Thomas; Kirda, Engin
SAC '02 Proceedings of the 2002 ACM symposium on Applied computing, p. 201-208
DOI: 10.1145/508791.508835

A Study of Malcode-Bearing Documents
book, January 2007

Li, Wei-Jen; Stolfo, Salvatore; Stavrou, Angelos
Detection of Intrusions and Malware, and Vulnerability Assessment
DOI: 10.1007/978-3-540-73614-1_14

Fileprints: identifying file types by n-gram analysis
conference, January 2005

Li, Wei-Jen; Wang, Ke; Stolfo, S. J.
Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC
DOI: 10.1109/IAW.2005.1495935

Fast and automated generation of attack signatures: a basis for building self-protecting servers
conference, January 2005

Liang, Zhenkai; Sekar, R.
CCS '05 Proceedings of the 12th ACM conference on Computer and communications security, p. 213-222
DOI: 10.1145/1102120.1102150

FLIPS: Hybrid Adaptive Intrusion Prevention
book, January 2006

Locasto, Michael E.; Wang, Ke; Keromytis, Angelos D.
Recent Advances in Intrusion Detection, p. 82-101
DOI: 10.1007/11663812_5

Characterizing the behavior of a program using multiple-length N-grams
conference, January 2000

Marceau, Carla
NSPW '00 Proceedings of the 2000 workshop on New security paradigms, p. 101-110
DOI: 10.1145/366173.366197

Content based file type detection algorithms
conference, January 2003

McDaniel, M.; Heydari, M. H.
System Sciences, 2003. Proceedings of the 36th Annual Hawaii International Conference on
DOI: 10.1109/HICSS.2003.1174905

Polygraph: Automatically Generating Signatures for Polymorphic Worms
conference, January 2005

Newsome, J.; Karp, B.; Song, D.
Security and Privacy, 2005 IEEE Symposium on
DOI: 10.1109/SP.2005.15

Paragraph: Thwarting Signature Learning by Training Maliciously
book, January 2006

Newsome, James; Karp, Brad; Song, Dawn
Recent Advances in Intrusion Detection, p. 81-105
DOI: 10.1007/11856214_5

Misleading worm signature generators using deliberate noise injection
conference, January 2006

Perdisci, R.; Dagon, D.; Lee, Wenke
Security and Privacy, 2006 IEEE Symposium on
DOI: 10.1109/SP.2006.26

Data mining methods for detection of new malicious executables
conference, January 2001

Schultz, M. G.; Eskin, E.; Zadok, F.
Security and Privacy, 2001. S&P 2001. Proceedings. 2001 IEEE Symposium on
DOI: 10.1109/SECPRI.2001.924286

Specification-based anomaly detection: a new approach for detecting network intrusions
conference, January 2002

Sekar, R.; Gupta, A.; Frullo, J.
CCS '02 Proceedings of the 9th ACM conference on Computer and communications security, p. 265-274
DOI: 10.1145/586110.586146

On the effectiveness of address-space randomization
conference, January 2004

Shacham, Hovav; Page, Matthew; Pfaff, Ben
Proceedings of the 11th ACM conference on Computer and communications security, p. 298-307
DOI: 10.1145/1030083.1030124

A Dynamic Mechanism for Recovering from Buffer Overflow Attacks
book, January 2005

Sidiroglou, Stelios; Giovanidis, Giannis; Keromytis, Angelos D.
Information Security, p. 1-15
DOI: 10.1007/11556992_1

On the infeasibility of modeling polymorphic shellcode
conference, January 2007

Song, Yingbo; Locasto, Michael E.; Stavrou, Angelos
CCS '07 Proceedings of the 14th ACM conference on Computer and communications security, p. 541-551
DOI: 10.1145/1315245.1315312

Towards Stealthy Malware Detection
book, January 2007

Stolfo, Salvatore J.; Wang, Ke; Li, Wei-Jen
Malware Detection
DOI: 10.1007/978-0-387-44599-1_11

"Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector
conference, January 2002

Tan, K. M. C.; Maxion, R. A.
Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on
DOI: 10.1109/SECPRI.2002.1004371

Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits
book, January 2002

Tan, Kymie M. C.; Killourhy, Kevin S.; Maxion, Roy A.
Recent Advances in Intrusion Detection
DOI: 10.1007/3-540-36084-0_4

Intrusion detection via static analysis
conference, January 2001

Wagner, D.; Dean, R.
Security and Privacy, 2001. S&P 2001. Proceedings. 2001 IEEE Symposium on
DOI: 10.1109/SECPRI.2001.924296

Mimicry attacks on host-based intrusion detection systems
conference, January 2002

Wagner, David; Soto, Paolo
CCS '02 Proceedings of the 9th ACM conference on Computer and communications security, p. 255-264
DOI: 10.1145/586110.586145

Shield: vulnerability-driven network filters for preventing known vulnerability exploits
conference, January 2004

Wang, Helen J.; Guo, Chuanxiong; Simon, Daniel R.
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, p. 193-204
DOI: 10.1145/1015467.1015489

Anomalous Payload-Based Network Intrusion Detection
book, January 2004

Wang, Ke; Stolfo, Salvatore J.; Hutchison, David
Recent Advances in Intrusion Detection
DOI: 10.1007/978-3-540-30143-1_11

Anagram: A Content Anomaly Detector Resistant to Mimicry Attack
book, January 2006

Wang, Ke; Parekh, Janak J.; Stolfo, Salvatore J.
Recent Advances in Intrusion Detection, p. 226-248
DOI: 10.1007/11856214_12

Anomalous Payload-Based Worm Detection and Signature Generation
book, January 2006

Wang, Ke; Cretu, Gabriela; Stolfo, Salvatore J.
Recent Advances in Intrusion Detection, p. 227-246
DOI: 10.1007/11663812_12

SigFree: A Signature-Free Buffer Overflow Attack Blocker
journal, January 2010

Wang, Xinran; Pan, Chi-Chun; Liu, Peng
IEEE Transactions on Dependable and Secure Computing, Vol. 7, Issue 1, p. 65-79
DOI: 10.1109/TDSC.2008.30

Toward Automated Dynamic Malware Analysis Using CWSandbox
journal, March 2007

Willems, Carsten; Holz, Thorsten; Freiling, Felix
IEEE Security and Privacy Magazine, Vol. 5, Issue 2, p. 32-39
DOI: 10.1109/MSP.2007.45

Similar records in DOepatents and OSTI.GOV collections:

Methods, media, and systems for detecting attack on a digital processing device

Patent Stolfo, Salvatore J. ; Li, Wei-Jen ; Keromylis, Angelos D. ; Androulaki, Elli

Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document tomore »« less
Full Text Available July 2014
Methods, media and systems for managing a distributed application running in a plurality of digital processing devices

Patent Laadan, Oren ; Nieh, Jason ; Phung, Dan

Methods, media and systems for managing a distributed application running in a plurality of digital processing devices are provided. In some embodiments, a method includes running one or more processes associated with the distributed application in virtualized operating system environments on a plurality of digital processing devices, suspending the one or more processes, and saving network state information relating to network connections among the one or more processes. The method further include storing process information relating to the one or more processes, recreating the network connections using the saved network state information, and restarting the one or more processes usingmore » the stored process information.« less
Full Text Available October 2012
Methods and systems for detecting abnormal digital traffic

Patent Goranson, Craig A ; Burnette, John R

Aspects of the present invention encompass methods and systems for detecting abnormal digital traffic by assigning characterizations of network behaviors according to knowledge nodes and calculating a confidence value based on the characterizations from at least one knowledge node and on weighting factors associated with the knowledge nodes. The knowledge nodes include a characterization model based on prior network information. At least one of the knowledge nodes should not be based on fixed thresholds or signatures. The confidence value includes a quantification of the degree of confidence that the network behaviors constitute abnormal network traffic.
Full Text Available March 2011
Systems and methods for detecting and processing

Patent Johnson, Michael M ; Yoshimura, Ann S

Embodiments of the present invention provides systems and method for detecting. Sensing modules are provided in communication with one or more detectors. In some embodiments, detectors are provided that are sensitive to chemical, biological, or radiological agents. Embodiments of sensing modules include processing capabilities to analyze, perform computations on, and/or run models to predict or interpret data received from one or more detectors. Embodiments of sensing modules form various network configurations with one another and/or with one or more data aggregation devices. Some embodiments of sensing modules include power management functionalities.
Full Text Available March 2006
Methods, systems and devices for detecting and locating ferromagnetic objects

Patent Roybal, Lyle Gene ; Kotter, Dale Kent ; Rohrbaugh, David Thomas ; Spencer, David Frazer

Methods for detecting and locating ferromagnetic objects in a security screening system. One method includes a step of acquiring magnetic data that includes magnetic field gradients detected during a period of time. Another step includes representing the magnetic data as a function of the period of time. Another step includes converting the magnetic data to being represented as a function of frequency. Another method includes a step of sensing a magnetic field for a period of time. Another step includes detecting a gradient within the magnetic field during the period of time. Another step includes identifying a peak value ofmore »« less
Full Text Available January 2010