Lecture Notes in Computer Science 6739 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Thorsten Holz Herbert Bos (Eds.) Detection of Intrusions and Malware, and VulnerabilityAssessment 8th International Conference, DIMVA 2011 Amsterdam, The Netherlands, July 7-8, 2011 Proceedings 1 3 VolumeEditors ThorstenHolz Ruhr-UniversitätBochum FakultätfürElektrotechnikundInformationtechnik AG"EmbeddedMalware" Universitätsstrasse150,44801Bochum,Germany Email:[email protected] HerbertBos VrijeUniversiteitAmsterdam ComputerSystemsSection 1081HVAmsterdam,TheNetherlands E-mail:[email protected] ISSN0302-9743 e-ISSN1611-3349 ISBN978-3-642-22423-2 e-ISBN978-3-642-22424-9 DOI10.1007/978-3-642-22424-9 SpringerHeidelbergDordrechtLondonNewYork LibraryofCongressControlNumber:2011930927 CRSubjectClassification(1998):C.2,K.6.5,D.4.6,E.3,H.4,K.4.4 LNCSSublibrary:SL4–SecurityandCryptology ©Springer-VerlagBerlinHeidelberg2011 Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublicationdoesnotimply, evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelaws andregulationsandthereforefreeforgeneraluse. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface On behalf of the Program Committee, it is our pleasure to present to you the proceedings of the 8th Conference on Detection of Intrusions and Malware & Vulnerability Assessment(DIMVA 2011).EachyearDIMVA bringstogetherin- ternationalexpertsfromacademia,industryandgovernmenttopresentanddis- cuss novelsecurity research.DIMVA is organizedby the Special Interest Group Security – Intrusion Detection and Response (SIDAR) – of the German Infor- matics Society (GI) The DIMVA 2011 ProgramCommittee received 41 submissions. All submis- sions were carefully reviewed by at least three Program Committee members or external experts. The submissions were evaluated according to the criteria of scientific novelty, importance to the field and technical quality. The final se- lection took place at a Program Commitee meeting held on March 25, 2011, at Ruhr-University Bochum, Germany. Eleven full papers and two short papers wereselectedforpresentationattheconferenceandpublicationintheconference proceedings. The conference took place during July 7-8, 2011, at Vrije Univer- siteit Amsterdam, The Netherlands. The program featured both practical and theoretical research results grouped into five sessions. The keynote speech was givenby ManuelCosta,MicrosoftResearch.Another invited talk waspresented by Ahmad-Reza Sadeghi, TU Darmstadt. The conference program further in- cluded a poster session. We sincerely thank all those who submitted papers and posters as well as the Program Committee members and our external reviewers for their valuable contributions to a great conference program. In addition we thank Marc Ku¨hrer for helping during the preparation of these proceedings. For fur- ther details about DIMVA 2011, please refere to the conference website at http://www.dimva.org/dimva2011. July 2011 Thorsten Holz Herbert Bos Organization DIMVA was organized by the Special Interest Group Security – Intrusion De- tection and Response (SIDAR) – of the German Informatics Society (GI). Organizing Committee General Chair Herbert Bos, Vrije Universiteit Amsterdam, The Netherlands ProgramChair ThorstenHolz,Ruhr-UniversityBochum,Germany Sponsoring Chair Damiano Bolzoni, University of Twente, The Netherlands Publicity Chairs Damiano Bolzoni, University of Twente, The Netherlands Konrad Rieck, TU Berlin, Germany Local Chair Asia Slowinska, Vrije Universiteit Amsterdam, The Netherlands Workshops Chair Lorenzo Cavallaro,Vrije Universiteit Amsterdam, The Netherlands Program Committee Michael Bailey University of Michigan, USA Herbert Bos Vrije Universiteit Amsterdam, The Netherlands Juan Caballero IMDEA Software, Spain Lorenzo Cavallaro Vrije Universiteit Amsterdam, The Netherlands Marco Cova University of Birmingham, UK Sven Dietrich Stevens Institute of Technology, USA Ulrich Flegel OffenburgUniversityofAppliedSciences,Germany Felix Freiling University of Erlangen-Nuremberg,Germany Thorsten Holz Ruhr-University Bochum, Germany Martin Johns SAP Research, Germany Engin Kirda Eurecom, France Christian Kreibich International Computer Science Institute, USA Christopher Kruegel University of California, Santa Barbara, USA PavelLaskov University of Tu¨bingen, Germany Wenke Lee Georgia Institute of Technology, USA Corrado Leita Symantec Research Labs, France Lorenzo Martignoni University of California, Berkeley, USA VIII Organization Michael Meier Technical University of Dortmund, Germany Paolo Milani Comparetti Vienna University of Technology, Austria Konrad Rieck TU Berlin, Germany Robin Sommer ICSI/LBNL, USA Dongyan Xu Purdue University, USA Additional Reviewers Zinaida Benenson Achim D. Brucker Andreas Dewald Christian Dietrich Hans-Georg Eßer Jan Go¨bel Mathias Kohler Tammo Kru¨ger Zhiqiang Lin Christian Moch Tilo Mu¨ller Lexi Pimenidis Sebastian Schinzel Thomas Schreck Guido Schwenk Moritz Steiner Benjamin Stock Carsten Willems Steering Committee Chairs Ulrich Flegel, Offenburg University of Applied Sciences, Germany Michael Meier, Technical University of Dortmund, Germany Members Roland Bu¨schkes, RWE AG, Germany Danilo M. Bruschi, Universita` degli Studi di Milano, Italy Herve Debar, France Telecom R&D, France Bernhard Haemmerli, Acris GmbH & HSLU Lucerne, Switzerland Marc Heuse, Baseline Security Consulting, Germany Marko Jahnke, Fraunhofer FKIE, Germany Klaus Julisch, IBM Zurich Research Lab, Switzerland Christian Kreibich, International Computer Science Institute, USA Christopher Kruegel, UC Santa Barbara,USA PavelLaskov, University of Tu¨bingen, Germany Robin Sommer, ICSI/LBNL, USA Diego Zamboni, IBM Zurich Research Lab, Switzerland Table of Contents Network Security I Protecting against DNS Reflection Attacks with Bloom Filters......... 1 Sebastiano Di Paola and Dario Lombardo Effective Network Vulnerability Assessment through Model Abstraction ..................................................... 17 Su Zhang, Xinming Ou, and John Homer Decoy Document Deployment for Effective Masquerade Attack Detection ....................................................... 35 Malek Ben Salem and Salvatore J. Stolfo Attacks Reverse Social Engineering Attacks in Online Social Networks ......... 55 Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, and Calton Pu Timing Attacks on PIN Input in VoIP Networks (Short Paper) ........ 75 Ge Zhang and Simone Fischer-Hu¨bner Web Security Biting the Hand That Serves You: A Closer Look at Client-Side Flash Proxies for Cross-Domain Requests................................. 85 Martin Johns and Sebastian Lekies Mitigating Cross-Site Form History Spamming Attacks with Domain-Based Ranking........................................... 104 Chuan Yue Escape from Monkey Island: Evading High-Interaction Honeyclients .... 124 Alexandros Kapravelos, Marco Cova, Christopher Kruegel, and Giovanni Vigna Network Security II An Assessment of Overt Malicious Activity Manifest in Residential Networks ....................................................... 144 Gregor Maier, Anja Feldmann, Vern Paxson, Robin Sommer, and Matthias Vallentin X Table of Contents What’s Clicking What? Techniques and Innovations of Today’s Clickbots ....................................................... 164 Brad Miller, Paul Pearce, Chris Grier, Christian Kreibich, and Vern Paxson MISHIMA: Multilateration of Internet Hosts Hidden Using Malicious Fast-Flux Agents (Short Paper).................................... 184 Greg Banks, Aristide Fattori, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Host Security Code Pointer Masking: Hardening Applications against Code Injection Attacks......................................................... 194 Pieter Philippaerts, Yves Younan, Stijn Muylle, Frank Piessens, Sven Lachmund, and Thomas Walter Operating System Interface Obfuscation and the Revealing of Hidden Operations...................................................... 214 Abhinav Srivastava, Andrea Lanzi, Jonathon Giffin, and Davide Balzarotti Author Index.................................................. 235 Protecting against DNS Reflection Attacks with Bloom Filters Sebastiano Di Paola and Dario Lombardo Telecom Italia S.p.A., Via Reiss Romoli 274, 10148 Torino, Italy {sebastiano.dipaola,dario.lombardo}@telecomitalia.it Abstract. Nowadays the DNS protocol is under the attention of the security community for its lack of security and for the flaws found in the last few years. In the Internet scenario, the reflection/amplification is the most common and nasty attack that requires very powerful and expensivehardwaretobeprotectedfrom.Inthispaperweproposearo- bustcountermeasureagainst thistypeofthreatsbasedonBloom filters. The proposed method is fast and not too eager of resources, and has a very low error rate, blocking 99.9% of attack packets. The mechanism hasbeenimplementedwithin aproject byTelecom ItaliaS.p.A.,named jdshape, based on JuniperNetworks(cid:2)R SDK. 1 Introduction TheDNSprotocolisoneofthemostimportantprotocoloftheTCP/IPsuite.It isusedtoconvertnamesintonumericaddressesandisthebaseofanyhigh-level service. Due to its early birth it lacks the basic security features that a modern protocolhas. Many attacks have been documented againstthis protocol:in this paperonewillbeanalyzedindeep,theDNSreflectionattack.ItisaDoSattack where the victim is flooded with DNS responses. The paper will describe a defense approach based on Bloom filters: they are used to store the observed DNS queries, and checked against a response. This method allows to couple a queryandaresponsethatbelongtothesameDNStransaction.Alltheresponses thatdon’thaveacoupledqueryarepartoftheattack.TheBloomfilterapproach is fast and effective despite of an error rate due to its statistic origin. The filter is a trade-off between the desired precision (error rate and packet rate) and the memory consumption. We used two filters of about 8,22 MB that can store 3 seconds of traffic at a 800000 pkts/s each. The two filters are needed to have a lock-free implementation that runs on an expansion card of a Juniper router (MS-PIC) and are swapped every predefined time-slot. The proposal has been developed and tested in a simulated environment to verify its behavior. It has been also tested running on the router in lab with both test and real traffic. It has been demonstrated to be effective with respect to the preset error rate (0.1%). The remainder of the paper is organized as follows. Section 2 describes majorDNSprotocolsecurityconcerns.Insection3reflectionattackareoutlined. T.HolzandH.Bos.(Eds.):DMIVA2011,LNCS6739,pp.1–16,2011. (cid:2)c Springer-VerlagBerlinHeidelberg2011