Lecture Notes in Computer Science 8550 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of , Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbruecken, Germany Sven Dietrich (Ed.)

Detection of Intrusions and Malware, and VulnerabilityAssessment

11th International Conference, DIMVA 2014 Egham, UK, July 10-11, 2014 Proceedings

13 Volume Editor Sven Dietrich Stevens Institute of Technology Department of Computer Science Castle Point on Hudson Hoboken, NJ 07030, USA E-mail: [email protected]

ISSN 0302-9743 e-ISSN 1611-3349 ISBN 978-3-319-08508-1 e-ISBN 978-3-319-08509-8 DOI 10.1007/978-3-319-08509-8 Springer Cham Heidelberg Dordrecht

Library of Congress Control Number: 2014941759

LNCS Sublibrary: SL 4 – Security and Cryptology

© Springer International Publishing Switzerland 2014

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location, in ist current version, and permission for use must always be obtained from Springer. Permissions for use may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution under the respective Copyright Law. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein. Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com) Preface

On behalf of the Program Committee, it is my pleasure to present the proceed- ings of the 11th GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2014). Since 2004, DIMVA has been bringing together leading researchers and practitioners from academia, gov- ernment, and industry annually to present and discuss novel security research. DIMVA is organized by the Special Interest Group Security – Intrusion Detec- tion and Response (SIDAR) — of the German Informatics Society (GI). This event was technically co-sponsored by the IEEE Computer Society Technical Committee on Security and Privacy. The DIMVA 2014 Program Committee received 60 valid submissions from industrial and academic organizations from 20 different countries, an increase of over 57% in the number of submissions over last year. Each submission was carefully reviewed by at least three Program Committee members or external experts. The submissions were evaluated on the basis of scientific novelty, im- portance to the field, and technical quality. The final selection took place at the Program Committee meeting held on March 27, 2014, at Stevens Institute of Technology in Hoboken, , USA. Thirteen full papers and one ex- tended abstract were selected for presentation and publication in the conference proceedings. The conference took place during July 10–11, 2014, at Royal Holloway, Uni- versity of London, in Egham, UK, with the program grouped into five ses- sions. Three keynote speeches were presented by Ross Anderson (University of Cambridge), J. Alex Halderman (University of Michigan), and Susan Landau (Worcester Polytechnic Institute). A successful conference is the result of the joint effort of many people. In particular, I would like to thank all the authors who submitted contributions. I also thank the Program Committee members and the additional reviewers for their hard work and careful evaluation of the submissions, as well as the Steering Committee chairs Ulrich Flegel and Michael Meier for providing guidance during the many months leading up to the conference. Last but not least, I would like to thank the General Chair Lorenzo Cavallaro from Royal Holloway University of London, for handling the local arrangements, the website, and the sponsorship. We are wholeheartedly thankful to our Gold Sponsors GCHQ, HP Labs Bristol, Huawei, and Kaspersky Lab, and our Sil- ver Sponsors Nominet, Silent Circle and Trend Micro for generously supporting DIMVA 2014.

July 2014 Sven Dietrich Organization

Organizing Committee

Program Chair Sven Dietrich Stevens Institute of Technology, USA

General Chair Lorenzo Cavallaro Royal Holloway University of London, UK

Program Committee

Magnus Almgren Chalmers University of Technology, Sweden Jean Camp Indiana University at Bloomington, USA Justin Cappos NYU Poly, USA Michael Collins RedJack LLC, USA Baris Coskun AT&T Security Research Center, USA Herv´eDebar T´el´ecom SudParis, France David Dittrich University of Washington, USA Jos´e M. Fernandez Ecole´ Polytechnique de Montreal, Canada Ulrich Flegel Infineon, Germany Allen D. Householder Carnegie Mellon University, Software Engineering Institute, CERT, USA Rob Johnson Stony Brook University, USA Chris Kanich University of Illinois at Chicago, USA Pavel Laskov University of T¨ubingen, Germany Corrado Leita Symantec Research, USA Michael Meier University of Bonn, Germany Daniela Oliveira Bowdoin College, USA Michalis Polychronakis Columbia University, USA Konrad Rieck University of G¨ottingen, Germany Volker Roth Freie Universit¨at Berlin, Germany Sebastian Schmerl AGT, Germany Cristina Serban AT&T Security Research Center, USA Micah Sherr Georgetown University, USA Asia Slowinska Vrije Universiteit Amsterdam, The Netherlands Wietse Venema IBM Research Yorktown Heights, USA VIII Organization

Steering Committee

Chairs Ulrich Flegel Infineon, Germany Michael Meier University of Bonn, Germany

Members Herbert Bos Vrije Universiteit Amsterdam, The Netherlands Danilo M. Bruschi Universit`a degli Studi di Milano, Italy Roland B¨uschkes RWE AG, Germany Herv´eDebar T´el´ecom SudParis, France Bernhard H¨ammerli Acris GmbH & HSLU Lucerne, Switzerland Marc Heuse Baseline Security Consulting, Germany Thorsten Holz Ruhr-Universit¨at Bochum, Germany Marko Jahnke Fraunhofer FKIE, Germany Klaus J¨ulisch Deloitte, Switzerland Christian Kreibich ICSI, USA Christopher Kruegel UC Santa Barbara, USA Pavel Laskov University of T¨ubingen, Germany Konrad Rieck University of G¨ottingen, Germany Robin Sommer ICSI/LBNL, USA Diego Zamboni CFEngine AS, Norway

Additional Reviewers

Daniel Arp Fanny Lalonde-L´evesque Jonathan P. Chapman Antoine Lemay Bapi Chatterjee Tao Li Till Elsner W. Brad Moore Manfred Erjak Daniel Plohmann Sebastian Eschweiler Nedim Srndi´ˇ c Hugo Gascon Zhi Da Henry Tan Jan Gassen Tavish Vaidya Mohammad Halawah Tobias Wahl Alan Hall Christian Wressnegger Ronald Heinrich Matthias W¨ubbeling Vasileios P. Kemerlis Fabian Yamaguchi Georgios Kontaxis Yanyan Zhuang Organization IX

Gold Sponsors

Silver Sponsors Table of Contents

Malware I

Data Structure Archaeology: Scrape Away the Dirt and Glue Back the Pieces! (Or: Automated Techniques to Recover Split and Merged Variables) ...... 1 Asia Slowinska, Istvan Haller, Andrei Bacs, Silviu Baranga, and Herbert Bos

Identifying Shared Software Components to Support Malware Forensics ...... 21 Brian Ruttenberg, Craig Miles, Lee Kellogg, Vivek Notani, Michael Howard, Charles LeDoux, Arun Lakhotia, and Avi Pfeffer

Instruction-Level Steganography for Covert Trigger-Based Malware (Extended Abstract) ...... 41 Dennis Andriesse and Herbert Bos

Mobile Security

AndRadar: Fast Discovery of Android Applications in Alternative Markets ...... 51 Martina Lindorfer, Stamatis Volanis, Alessandro Sisto, Matthias Neugschwandtner, Elias Athanasopoulos, Federico Maggi, Christian Platzer, Stefano Zanero, and Sotiris Ioannidis

Attacks on Android Clipboard ...... 72 Xiao Zhang and Wenliang Du

I Sensed It Was You: Authenticating Mobile Users with Sensor- Enhanced Keystroke Dynamics ...... 92 Cristiano Giuffrida, Kamil Majdanik, Mauro Conti, and Herbert Bos

Malware II

AV-Meter: An Evaluation of Antivirus Scans and Labels ...... 112 Aziz Mohaisen and Omar Alrawi

PExy: The Other Side of Exploit Kits ...... 132 Giancarlo De Maio, Alexandros Kapravelos, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna XII Table of Contents

Metadata-Driven Threat Classification of Network Endpoints Appearing in Malware ...... 152 Andrew G. West and Aziz Mohaisen

Network Security

Parallelization of Network Intrusion Detection Systems under Attack Conditions ...... 172 Ren´e Rietz, Michael Vogel, Franka Schuster, and Hartmut K¨onig

Phoenix: DGA-Based Botnet Tracking and Intelligence ...... 192 Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, and Stefano Zanero

Host Security

Quantifiable Run-Time Kernel Attack Surface Reduction ...... 212 Anil Kurmus, Sergej Dechand, and R¨udiger Kapitza

Bee Master: Detecting Host-Based Code Injection Attacks ...... 235 Thomas Barabosch, Sebastian Eschweiler, and Elmar Gerhards-Padilla

Diagnosis and Emergency Patch Generation for Integer Overflow Exploits ...... 255 Tielei Wang, Chengyu Song, and Wenke Lee

Author Index ...... 277