Automated Extraction of Network Protocol Specifications
|
|
- Charity Henderson
- 5 years ago
- Views:
Transcription
1 Automated Extraction of Network Protocol Specifications ARO MURI on Cyber Situation Awareness Kick Off Meeting Christopher Kruegel Computer Security Group,
2 Motivation Stateful protocol specifications are very useful black-box vulnerability analysis (fuzz testing) deep packet inspection (intrusion detection) network understanding (who is talking to whom, about what, ) application version fingerprinting Not all protocols are open Open specifications can lack semantics Manual reverse engineering is time-consuming and tedious 2
3 Goal Automatic extraction of protocol specifications 1. message format specifications what types of messages are there what fields are they composed of (length, handles, data, ) what is the semantics of data fields (file name, date, content, ) 2. protocol state machine what are acceptable sequences of messages 3
4 Available Data Sources Network traces limited information (no semantics) Server binaries static analysis dynamic analysis 4
5 Approach Mostly dynamic analysis (+ some static analysis) Basic insight Observe how the program processes (parses) input messages Use dynamic taint analysis to observe the data flow (trace) Analyze format of individual messages Cluster set of similar messages (each cluster is one type) Generalize message formats for each message type Use message sequences (sessions) to extract state machine 5
6 System Overview Our system operates in four phases Each phase produces input for the following phase 6
7 Dynamic Taint Analysis Obtain execution trace Run application (server) in a dynamic data tainting environment Send messages to server (using a client), or wait until a client starts a session with the server Assign a label to each input byte Track propagation of labels during the execution Record all executed instruction taint labels of all instruction operands 7
8 Dynamic Taint Analysis Label Input: G E T / H T T P / 1. 0 \r \n \r \n Propagate Labels: EAX c G E BL G 0 push %esi push %ebx mov (%eax),%bl sub $0x1,%ecx 0 1 8
9 System Overview 9
10 Session Analysis Extract message format Structure-forming parts enough information to parse a message length fields delimiter fields hierarchy between delimiters Additional semantics keywords, file names, session ids,.. 10
11 Detecting Length Fields Length fields are used to control a loop over input data Leverage binary static analysis to detect loops Look for loops where an exit condition tests the same taint labels on every iteration The tricky part is detecting the target field Look at labels touched inside length loop remove labels touched in all iterations remaining labels belong to target field May need to merge multiple loops (e.g., memcpy) 11
12 Detecting Delimiters Delimiter is one or more bytes that separate a field or message observation: all bytes in the scope of the delimiter are compared against a part of the delimiter Delimiter field detection create a list of taint labels used for comparisons for each byte value, merge consecutive labels into intervals Intervals indicate delimiter scope nesting gives us a hierarchical structure recursive analysis to break up message 12
13 13
14 Additional Semantics Protocol keywords IP addresses (used in socket calls) File names Echoed fields (session identifier, cookie, ) Pointers (to somewhere else in packet) Unused fields 14
15 Detecting Keywords A keyword is a sequence of (1 or 2 byte) characters that is tested against a constant value adjacent characters being successfully compared to non-tainted values are merged into a string take delimiters into account Ideally, we would want to check if input is being tested against values that are hard-coded in binary Currently, we just check whether the string (of at least 3 bytes) is present in the binary 15
16 System Overview 16
17 Message Clustering After the session analysis phase, we have format specifications for individual messages We want to automatically determine the different message types that appear in the observed application sessions Assume a similar reaction of the server to similar messages (that is, if they have the same type) First step: Find a metric of similarity between messages 17
18 Message Similarity We define several similarity features and distance functions These features can be divided into three groups: input similarity features ( message format ) execution similarity features ( code execution ) impact similarity features ( behavior ) For each group, we compute a similarity score 18
19 Input Similarity Feature Assumption: Messages of the same type have similar fields and structure To compute an input similarity score, we use a modified sequence alignment algorithm (Needleman Wunsch) The sequences of fields for all message formats are compared Similar parts get aligned, exposing differences or missing parts (matches, mismatches, gaps) 19
20 Code Execution Similarity Assumption: Similar messages are handled by similar code For each pair of messages, the sets of system calls process activity (clone, kill, ) invoked functions invoked library functions executed addresses are recorded Then, the Jaccard indices are computed: 20
21 Behavior Similarity Assumption: Similar messages trigger similar behavior in the server application Output and file activity similarity feature where is data written to same socket, network, file, or terminal what data is written static strings, tainted data, configuration file content 21
22 Message Clustering The similarity features are used to compute a distance matrix We apply the partitioning around medoids (PAM) algorithm for clustering PAM needs the desired number of clusters k as a parameter we determine k by employing a generalization of the Dunn index Dunn index is a standard intrinsic measure of clustering quality (cluster separation / cluster compactness) Result: Clusters of messages that are similar (of same type) For each cluster, a generalized message format is generated 17
23 System Overview 23
24 State Machine Inference Goal Use the information on message types and the application sessions that we observed to infer a minimal state machine Technique Find the minimal automaton that is consistent with our training set, without being overly general 24
25 Augmented Prefix Tree Acceptor (APTA) First, we construct an Augmented Prefix Tree Acceptor (APTA) incompletely specified DFA with a state transition graph that is a tree Each branch of the tree represents the sequence of message types within an observed application session Agobot (malware) example with two application sessions: 25
26 Minimization We want to generalize the APTA by merging some states We only want to merge states that correspond to similar states in the server application (otherwise, result is overly permissive) Commonly, in application level protocols, specific messages have to be sent before the server can perform certain actions often, login is necessary before other commands can be executed other commands may lead the server away from these states Identify states where the application can process similar commands based on the sequence of messages that it previously received 26
27 State Labeling To capture this intuition, we use prerequisites A prerequisite is a sequence of messages that the server has received that leads it to a specific state For the server to be in a state where it can meaningfully process a message of type m, it first has to receive a message of type r (always), optionally followed only by messages of certain types Once all prerequisites are computed, each state is labeled with the set of message types that are allowed as input in that state 27
28 State Labeling 28
29 State Machine Minimization Compute minimal consistent DFA from the labeled APTA run Exbar on the labeled state tree Exbar is the state-of-the-art exact algorithm for minimal consistent DFA inference end-state detection simple heuristic: mark end-states by finding messages that only appear last in sessions result is the protocol state machine 29
30 Agobot Example Example state machine (generated from two observed application sessions) Captures the notion that login is necessary for the command, and logout returns to the initial state 30
31 Evaluation State machines for four widely deployed real-world protocols Agobot malware example text-based protocol (modified IRC) we mimicked a bot herder and sent a few commands SMTP applied our system to sendmail daemon used 16 application sessions (sending ) as training set 31
32 Evaluation Server Message Block (SMB) complex, stateful, binary protocol we monitored the smbd daemon used smbclient for creating the training set recorded 31 training sessions, performing file operations Session Initiation Protocol (SIP) text-based protocol often used in VoIP infrastructure Asterisk server connected using 2 client soft-phones, made phone calls, used voice boxes,... training set represents the use cases of calling someone 32
33 SMB State Machine 33
34 Quality of Specifications How good are these results? specifications should parse valid sessions without being too general Parsing success to this end, we parsed real-world network traces with the extracted specifications Protocol #Sessions Parsing success SMTP 31,903 93,5% SIP % SMB 80 90% SMTP: remaining 6.5% used TLS encryption (limitation) SMB: Fails were previously unknown error conditions (files not found, etc.) 34
35 Quality of Message Formats Protocol #Sessions Parsing success SMTP 31,903 93,5% SIP % SMB 80 90% 35
36 Quality of Specifications State machine comparison we manually built reference state machines for the tested protocols performed 50,000 random walks over inferred state machines, and checked if the message sequences are valid in the reference state machines precision: ratio of sequences generated by random walks over the inferred state machine that are accepted by the reference state machine recall: ratio for sequences from random walks over the reference state machine that are accepted by the inferred state machine Protocol Precision Recall Agobot 1 1 SMTP 1 1 SMB 1.58 SIP
37 Comparative Evaluation Compare our state machine inference with known algorithms for inductive inference (based on minimum message length) sk-strings, beams Known algorithms did not provide acceptable performance on our training data Agobot SMTP SMB SIP P R P R P R P R Prospex beams sk-strings(and) sk-strings(or)
38 Conclusion Prospex can automatically infer protocol specifications for stateful protocols Steps of approach extract message specifications automatically identify message types infer the protocol state machine Generate protocol specifications for a stateful fuzzer 38
Prospex: Protocol Specification Extraction
Prospex: Protocol Specification Extraction Paolo Milani Comparetti paolo@iseclab.org, Vienna University of Technology Gilbert Wondracek gilbert@iseclab.org, Vienna University of Technology Christopher
More informationAutomatic Network Protocol Analysis
Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel, and Engin Kirda Secure Systems Lab Technical University Vienna gilbert@seclab.tuwien.ac.at Scuola Superiore
More informationInferring Protocol State Machine from Network Traces: A Probabilistic Approach
Inferring Protocol State Machine from Network Traces: A Probabilistic Approach Yipeng Wang, Zhibin Zhang, Danfeng(Daphne) Yao, Buyun Qu, Li Guo Institute of Computing Technology, CAS Virginia Tech, USA
More informationProgram-Analysis-Supported Identification of Applications in Large Networks
Program-Analysis-Supported Identification of Applications in Large Networks Christopher Kruegel Computer Security Group ARO MURI Meeting Arizona State University, October 28, 2013 Correlation Engine COAs
More informationFinding Vulnerabilities in Web Applications
Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of
More informationIn-Memory Fuzzing in JAVA
Your texte here. In-Memory Fuzzing in JAVA 2012.12.17 Xavier ROUSSEL Summary I. What is Fuzzing? Your texte here. Introduction Fuzzing process Targets Inputs vectors Data generation Target monitoring Advantages
More informationThe IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:
More informationEventpad : a visual analytics approach to network intrusion detection and reverse engineering Cappers, B.C.M.; van Wijk, J.J.; Etalle, S.
Eventpad : a visual analytics approach to network intrusion detection and reverse engineering Cappers, B.C.M.; van Wijk, J.J.; Etalle, S. Published in: European Cyper Security Perspectives 2018 Published:
More informationNetzob Documentation. Release Frédéric Guihéry, Georges Bossert
Netzob Documentation Release 0.4.1 Frédéric Guihéry, Georges Bossert June 11, 2015 Contents 1 The big picture 3 1.1 Table of contents............................................. 3 2 Indices and tables
More informationUnsupervised Learning. Presenter: Anil Sharma, PhD Scholar, IIIT-Delhi
Unsupervised Learning Presenter: Anil Sharma, PhD Scholar, IIIT-Delhi Content Motivation Introduction Applications Types of clustering Clustering criterion functions Distance functions Normalization Which
More informationThe Importance of Interpretability in Cyber Security Analytics
The Importance of Interpretability in Cyber Security Analytics Juston Moore Advanced Research in Cyber Systems Group October 4, 2017 Operated by Los Alamos National Security, LLC for the U.S. Department
More informationCSC D70: Compiler Optimization Register Allocation
CSC D70: Compiler Optimization Register Allocation Prof. Gennady Pekhimenko University of Toronto Winter 2018 The content of this lecture is adapted from the lectures of Todd Mowry and Phillip Gibbons
More informationKiF: A stateful SIP Fuzzer
KiF: A stateful SIP Fuzzer Humberto J. Abdelnur Humberto.Abdelnur@loria.fr Radu State Radu.State@loria.fr Olivier Festor Olivier.Festor@loria.fr Madynes team http://madynes.loria.fr LORIA-INRIA Lorraine,
More informationCHAPTER-6 WEB USAGE MINING USING CLUSTERING
CHAPTER-6 WEB USAGE MINING USING CLUSTERING 6.1 Related work in Clustering Technique 6.2 Quantifiable Analysis of Distance Measurement Techniques 6.3 Approaches to Formation of Clusters 6.4 Conclusion
More informationFaculty of Electrical Engineering, Mathematics, and Computer Science Delft University of Technology
Faculty of Electrical Engineering, Mathematics, and Computer Science Delft University of Technology exam Compiler Construction in4020 July 5, 2007 14.00-15.30 This exam (8 pages) consists of 60 True/False
More informationSecuring BGP. Geoff Huston November 2007
Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture
More informationMWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010
MWR InfoSecurity Security Advisory IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability 4th March 2010 2010-03-04 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...
More informationAutomatic Binary Exploitation and Patching using Mechanical [Shell]Phish University of California, Santa Barbara (UCSB)
Automatic Binary Exploitation and Patching using Mechanical [Shell]Phish Antonio Bianchi antoniob@cs.ucsb.edu University of California, Santa Barbara (UCSB) HITCON Pacific December 2nd, 2016 Shellphish
More informationPolyglot: Automatic Extraction of Protocol Format using Dynamic Binary Analysis
Polyglot: Automatic Extraction of Protocol Format using Dynamic Binary Analysis ABSTRACT Protocol reverse engineering, the process of extracting the application-level protocol used by an implementation,
More informationUNIT 3
UNIT 3 Presentation Outline Sequence control with expressions Conditional Statements, Loops Exception Handling Subprogram definition and activation Simple and Recursive Subprogram Subprogram Environment
More informationPracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam
PracticeDump http://www.practicedump.com Free Practice Dumps - Unlimited Free Access of practice exam Exam : SY0-501 Title : CompTIA Security+ Certification Exam Vendor : CompTIA Version : DEMO Get Latest
More information12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents
Contents MWR InfoSecurity Security Advisory WebSphere MQ xcsgetmem Heap Overflow Vulnerability 12 th January 2009 2009-01-05 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5
More informationProblem System administration tasks on a VM from the outside, e.g., issue administrative commands such as hostname and rmmod. One step ahead tradition
EXTERIOR: Using a Dual-VM Based External Shell for Guest-OS Introspection, Configuration, and Recovery ACM VEE 13 Problem System administration tasks on a VM from the outside, e.g., issue administrative
More informationFrom Correlation to Causation: Active Delay Injection for Service Dependency Detection
From Correlation to Causation: Active Delay Injection for Service Dependency Detection Christopher Kruegel Computer Security Group ARO MURI Meeting ICSI, Berkeley, November 15, 2012 Correlation Engine
More informationPolyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis
Carnegie Mellon University Research Showcase @ CMU Department of Electrical and Computer Engineering Carnegie Institute of Technology 2007 Polyglot: Automatic Extraction of Protocol Message Format using
More informationOverview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin
CS 6V81-05 Data Structure Reverse Engineering Zhiqiang Lin Department of Computer Science The University of Texas at Dallas September 2 nd, 2011 Outline 1 Overview 2 REWARDS 3 TIE 4 HOWARD 5 Summary Outline
More informationInspirel. YAMI4 Requirements. For YAMI4Industry, v page 1
YAMI4 Requirements For YAMI4Industry, v.1.3.1 www.inspirel.com info@inspirel.com page 1 Table of Contents Document scope...3 Architectural elements...3 Serializer...3 Socket...3 Input buffer...4 Output
More informationReview Questions. 1 The DRAM problem [5 points] Suggest a solution. 2 Big versus Little Endian Addressing [5 points]
Review Questions 1 The DRAM problem [5 points] Suggest a solution 2 Big versus Little Endian Addressing [5 points] Consider the 32-bit hexadecimal number 0x21d3ea7d. 1. What is the binary representation
More informationTHEORY OF COMPILATION
Lecture 10 Code Generation THEORY OF COMPILATION EranYahav Reference: Dragon 8. MCD 4.2.4 1 You are here Compiler txt Source Lexical Analysis Syntax Analysis Parsing Semantic Analysis Inter. Rep. (IR)
More informationFile System Basics. Farmer & Venema. Mississippi State University Digital Forensics 1
File System Basics Farmer & Venema 1 Alphabet Soup of File Systems More file systems than operating systems Microsoft has had several: FAT16, FAT32, HPFS, NTFS, NTFS2 UNIX certainly has its share, in typical
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationLESSON PLAN FOR EVEN SEM SESSION NEED OF VIRTUAL FUNCTION ABSTRACT CLASS IN DETAIL VIRTUAL DESTRUCTOR TOPIC
LESSON PLAN FOR EVEN SEM SESSION 2017-18 NAME OF ASSISTANT PROFESSOR: SWATI SHARMA CLASS: B.SC. C.A. VI SEM SUBJECT : ADVANCED PROGRAMMING USING C++ UNIT/PART I DATE 1-1-18 DATE 2-1-18 DATE 3-1-18 DATE
More informationLecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse?
More information3. Data Preprocessing. 3.1 Introduction
3. Data Preprocessing Contents of this Chapter 3.1 Introduction 3.2 Data cleaning 3.3 Data integration 3.4 Data transformation 3.5 Data reduction SFU, CMPT 740, 03-3, Martin Ester 84 3.1 Introduction Motivation
More information2. Data Preprocessing
2. Data Preprocessing Contents of this Chapter 2.1 Introduction 2.2 Data cleaning 2.3 Data integration 2.4 Data transformation 2.5 Data reduction Reference: [Han and Kamber 2006, Chapter 2] SFU, CMPT 459
More informationPolyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis
Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis Juan Caballero, Heng Yin, Zhenkai Liang, Dawn Song Carnegie Mellon University College of William and Mary UC Berkeley
More informationFaculty of Electrical Engineering, Mathematics, and Computer Science Delft University of Technology
Faculty of Electrical Engineering, Mathematics, and Computer Science Delft University of Technology exam Compiler Construction in4303 April 9, 2010 14.00-15.30 This exam (6 pages) consists of 52 True/False
More informationAutomatically Identifying Critical Input Regions and Code in Applications
Automatically Identifying Critical Input Regions and Code in Applications Michael Carbin MIT CSAIL, MIT EECS Cambridge, Massachusetts, USA mcarbin@csail.mit.edu Martin Rinard MIT CSAIL, MIT EECS Cambridge,
More informationBinary Analysis for Botnet Reverse Engineering & Defense. Dawn Song UC Berkeley
Binary Analysis for Botnet Reverse Engineering & Defense Dawn Song UC Berkeley Plans Building on BitBlaze to develop new techniques Automatic Reverse Engineering of C&C protocols of botnets Automatic rewriting
More informationClustering Algorithms for general similarity measures
Types of general clustering methods Clustering Algorithms for general similarity measures general similarity measure: specified by object X object similarity matrix 1 constructive algorithms agglomerative
More informationAccess Control Using Intelligent Application Bypass
Access Control Using Intelligent Application Bypass The following topics describe how to configure access control policies to use Intelligent Application Bypass: Introducing Intelligent Application Bypass,
More informationCS 406/534 Compiler Construction Putting It All Together
CS 406/534 Compiler Construction Putting It All Together Prof. Li Xu Dept. of Computer Science UMass Lowell Fall 2004 Part of the course lecture notes are based on Prof. Keith Cooper, Prof. Ken Kennedy
More informationBinary Code Extraction and Interface Identification for Security Applications
Binary Code Extraction and Interface Identification for Security Applications Juan Caballero Noah M. Johnson Stephen McCamant Dawn Song Electrical Engineering and Computer Sciences University of California
More informationLow-Level Essentials for Understanding Security Problems Aurélien Francillon
Low-Level Essentials for Understanding Security Problems Aurélien Francillon francill@eurecom.fr Computer Architecture The modern computer architecture is based on Von Neumann Two main parts: CPU (Central
More informationPreview. Memory Management
Preview Memory Management With Mono-Process With Multi-Processes Multi-process with Fixed Partitions Modeling Multiprogramming Swapping Memory Management with Bitmaps Memory Management with Free-List Virtual
More informationApplication Detection
The following topics describe Firepower System application detection : Overview:, on page 1 Custom Application Detectors, on page 6 Viewing or Downloading Detector Details, on page 14 Sorting the Detector
More informationCore PHP. PHP output mechanism. Introducing. Language basics. Installing & Configuring PHP. Introducing of PHP keywords. Operators & expressions
Core PHP Introducing The origin of PHP PHP for web Development & Web Application PHP History Features of PHP How PHP works with the server What is server & how it works Installing & Configuring PHP PHP
More informationLesson 5 Web Service Interface Definition (Part II)
Lesson 5 Web Service Interface Definition (Part II) Service Oriented Architectures Security Module 1 - Basic technologies Unit 3 WSDL Ernesto Damiani Università di Milano Controlling the style (1) The
More informationSURVEY ON NETWORK ATTACK DETECTION AND MITIGATION
SURVEY ON NETWORK ATTACK DETECTION AND MITIGATION Welcome to the da/sec survey on network attack detection and mitigation. Network-based attacks pose a strong threat to the Internet landscape and academia
More informationCSE543 - Computer and Network Security Module: Intrusion Detection
CSE543 - Computer and Network Security Module: Intrusion Detection Professor Trent Jaeger 1 Intrusion An authorized action... that exploits a vulnerability... that causes a compromise... and thus a successful
More informationData Preprocessing. Slides by: Shree Jaswal
Data Preprocessing Slides by: Shree Jaswal Topics to be covered Why Preprocessing? Data Cleaning; Data Integration; Data Reduction: Attribute subset selection, Histograms, Clustering and Sampling; Data
More informationAppGate 11.0 RELEASE NOTES
Changes in 11.0 AppGate 11.0 RELEASE NOTES 1. New packet filter engine. The server-side IP tunneling packet filter engine has been rewritten from scratch, reducing memory usage drastically and improving
More informationConfiguring Access Rules
Configuring Access Rules Rules > Access Rules About Access Rules Displaying Access Rules Specifying Maximum Zone-to-Zone Access Rules Changing Priority of a Rule Adding Access Rules Editing an Access Rule
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More informationRegular Expression Constrained Sequence Alignment
Regular Expression Constrained Sequence Alignment By Abdullah N. Arslan Department of Computer science University of Vermont Presented by Tomer Heber & Raz Nissim otivation When comparing two proteins,
More informationTypes of general clustering methods. Clustering Algorithms for general similarity measures. Similarity between clusters
Types of general clustering methods Clustering Algorithms for general similarity measures agglomerative versus divisive algorithms agglomerative = bottom-up build up clusters from single objects divisive
More informationModelling Cyber Security Risk Across the Organization Hierarchy
Modelling Cyber Security Risk Across the Organization Hierarchy Security issues have different causes and effects at different layers within the organization one size most definitely does not fit all.
More informationTheory of Computations Spring 2016 Practice Final Exam Solutions
1 of 8 Theory of Computations Spring 2016 Practice Final Exam Solutions Name: Directions: Answer the questions as well as you can. Partial credit will be given, so show your work where appropriate. Try
More informationScenario-based Synthesis of Annotated Class Diagrams in UML
Scenario-based Synthesis of Annotated Class Diagrams in UML Petri Selonen and Tarja Systä Tampere University of Technology, Software Systems Laboratory, P.O.Box 553, FIN-33101 Tampere, Finland {pselonen,tsysta}@cs.tut.fi
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationPractical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
More informationGraph-Based Binary Analysis
Graph-Based Binary Analysis Drawing pictures from code Blackhat Briefings 2002 Halvar Flake Reverse Engineer Blackhat Consulting Ð http://www.blackhat.com Graph-Based Binary Analysis Overview (I) The speech
More informationPower Estimation of UVA CS754 CMP Architecture
Introduction Power Estimation of UVA CS754 CMP Architecture Mateja Putic mateja@virginia.edu Early power analysis has become an essential part of determining the feasibility of microprocessor design. As
More informationData Mining. Dr. Raed Ibraheem Hamed. University of Human Development, College of Science and Technology Department of Computer Science
Data Mining Dr. Raed Ibraheem Hamed University of Human Development, College of Science and Technology Department of Computer Science 06 07 Department of CS - DM - UHD Road map Cluster Analysis: Basic
More informationA Smart Fuzzer for x86 Executables
Università degli Studi di Milano Facoltà di Scienze Matematiche, Fisiche e Naturali A Smart Fuzzer for x86 Executables Andrea Lanzi, Lorenzo Martignoni, Mattia Monga, Roberto Paleari May 19, 2007 Lanzi,
More informationRegister Allocation. Stanford University CS243 Winter 2006 Wei Li 1
Register Allocation Wei Li 1 Register Allocation Introduction Problem Formulation Algorithm 2 Register Allocation Goal Allocation of variables (pseudo-registers) in a procedure to hardware registers Directly
More informationHelping Johnny To Analyze Malware: A Usability-Optimized Decompiler and Malware Analysis User Study
Helping Johnny To Analyze Malware: A Usability-Optimized Decompiler and Malware Analysis User Study Khaled Yakdan University of Bonn Fraunhofer FKIE Sergej Dechand University of Bonn Elmar Gerhards-Padilla
More informationSupplement for MIPS (Section 4.14 of the textbook)
Supplement for MIPS (Section 44 of the textbook) Section 44 does a good job emphasizing that MARIE is a toy architecture that lacks key feature of real-world computer architectures Most noticable, MARIE
More informationBrief overview of the topic and myself the 7 VCS used so far (different one each time), still many unused Acts as a time-machine, and almost as
Brief overview of the topic and myself the 7 VCS used so far (different one each time), still many unused Acts as a time-machine, and almost as contentious as the text editor This talk tries to address
More informationProject #2: FishNet Distance Vector Routing
Project #2: FishNet Distance Vector Routing Assignment documentation version: 1.0 Due Nov 18 th, 2009 This informational handout covers introductory material describing the Fishnet software that you use,
More informationPfR Voice Traffic Optimization Using Active Probes
PfR Voice Traffic Optimization Using Active Probes This module documents a Performance Routing (PfR) solution that supports outbound optimization of voice traffic based on the voice metrics, jitter and
More informationT9: SDN and Flow Management: DevoFlow
T9: SDN and Flow Management: DevoFlow Critique Lee, Tae Ho 1. Problems due to switch HW may be temporary. HW will evolve over time. Section 3.3 tries to defend against this point, but none of the argument
More informationProject Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio
Project Proposal ECE 526 Spring 2006 Modified Data Structure of Aho-Corasick Benfano Soewito, Ed Flanigan and John Pangrazio 1. Introduction The internet becomes the most important tool in this decade
More informationTCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12
TCP/IP Networking Training Details Training Time : 9 Hours Capacity : 12 Prerequisites : There are no prerequisites for this course. About Training About Training TCP/IP is the globally accepted group
More informationSequence clustering. Introduction. Clustering basics. Hierarchical clustering
Sequence clustering Introduction Data clustering is one of the key tools used in various incarnations of data-mining - trying to make sense of large datasets. It is, thus, natural to ask whether clustering
More informationAN408. A Web-Configurable LabVIEW Virtual Instrument for a BL2600 and RN1100
AN408 A Web-Configurable LabVIEW Virtual Instrument for a BL2600 and RN1100 This application note (AN408) expands on Application Note 407 (AN407) to describe a more advanced BL2600 application to interface
More informationPerformance Optimization for Informatica Data Services ( Hotfix 3)
Performance Optimization for Informatica Data Services (9.5.0-9.6.1 Hotfix 3) 1993-2015 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any means (electronic,
More informationFuzzgrind: an automatic fuzzing tool
Fuzzgrind: an automatic fuzzing tool 1/55 Fuzzgrind: an automatic fuzzing tool Gabriel Campana Sogeti / ESEC gabriel.campana(at)sogeti.com Fuzzgrind: an automatic fuzzing tool 2/55 Plan 1 2 3 4 Fuzzgrind:
More informationComputational Biology Lecture 4: Overlap detection, Local Alignment, Space Efficient Needleman-Wunsch Saad Mneimneh
Computational Biology Lecture 4: Overlap detection, Local Alignment, Space Efficient Needleman-Wunsch Saad Mneimneh Overlap detection: Semi-Global Alignment An overlap of two sequences is considered an
More informationMWR InfoSecurity Security Advisory. IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability. 4th March 2010
MWR InfoSecurity Security Advisory IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability 4th March 2010 2010-03-04 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...
More informationProbabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses
Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses Michael Crouse, Bryan Prosser and Errin W. Fulp WAKE FOREST U N I V E R S I T Y Department of Computer Science
More informationMassive Data Algorithmics. Lecture 12: Cache-Oblivious Model
Typical Computer Hierarchical Memory Basics Data moved between adjacent memory level in blocks A Trivial Program A Trivial Program: d = 1 A Trivial Program: d = 1 A Trivial Program: n = 2 24 A Trivial
More informationregister allocation saves energy register allocation reduces memory accesses.
Lesson 10 Register Allocation Full Compiler Structure Embedded systems need highly optimized code. This part of the course will focus on Back end code generation. Back end: generation of assembly instructions
More informationDivide and Conquer Algorithms. Problem Set #3 is graded Problem Set #4 due on Thursday
Divide and Conquer Algorithms Problem Set #3 is graded Problem Set #4 due on Thursday 1 The Essence of Divide and Conquer Divide problem into sub-problems Conquer by solving sub-problems recursively. If
More informationCode generation for modern processors
Code generation for modern processors Definitions (1 of 2) What are the dominant performance issues for a superscalar RISC processor? Refs: AS&U, Chapter 9 + Notes. Optional: Muchnick, 16.3 & 17.1 Instruction
More informationPineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO
PineApp Mail Secure SOLUTION OVERVIEW David Feldman, CEO PineApp Mail Secure INTRODUCTION ABOUT CYBONET CORE EXPERIENCE PRODUCT LINES FACTS & FIGURES Leader Product Company Servicing Multiple Vertical
More informationCode generation for modern processors
Code generation for modern processors What are the dominant performance issues for a superscalar RISC processor? Refs: AS&U, Chapter 9 + Notes. Optional: Muchnick, 16.3 & 17.1 Strategy il il il il asm
More informationInferring Protocol State Machine from Network Traces: A Probabilistic Approach
Inferring Protocol State Machine from Network Traces: A Probabilistic Approach Yipeng Wang 1,3, Zhibin Zhang 1, Danfeng (Daphne) Yao 2, Buyun Qu 1,3,andLiGuo 1 1 Institute of Computing Technology, Chinese
More informationIntrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks
Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks So we are proposing a network intrusion detection system (IDS) which uses a Keywords: DDoS (Distributed Denial
More informationLabeling Library Functions in Stripped Binaries
Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller Computer Sciences Department University of Wisconsin - Madison PASTE 2011 Szeged, Hungary September
More informationLecture 4 Hierarchical clustering
CSE : Unsupervised learning Spring 00 Lecture Hierarchical clustering. Multiple levels of granularity So far we ve talked about the k-center, k-means, and k-medoid problems, all of which involve pre-specifying
More informationBEAMJIT, a Maze of Twisty Little Traces
BEAMJIT, a Maze of Twisty Little Traces A walk-through of the prototype just-in-time (JIT) compiler for Erlang. Frej Drejhammar 130613 Who am I? Senior researcher at the Swedish Institute
More informationDesign and Analysis of Algorithms Prof. Madhavan Mukund Chennai Mathematical Institute
Design and Analysis of Algorithms Prof. Madhavan Mukund Chennai Mathematical Institute Module 07 Lecture - 38 Divide and Conquer: Closest Pair of Points We now look at another divide and conquer algorithm,
More informationAbout this exam review
Final Exam Review About this exam review I ve prepared an outline of the material covered in class May not be totally complete! Exam may ask about things that were covered in class but not in this review
More informationGene Clustering & Classification
BINF, Introduction to Computational Biology Gene Clustering & Classification Young-Rae Cho Associate Professor Department of Computer Science Baylor University Overview Introduction to Gene Clustering
More informationConnection Logging. Introduction to Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections
More informationCONFIGURING SQL SERVER 2008 REPORTING SERVICES FOR REDHORSE CRM
CONFIGURING SQL SERVER 2008 REPORTING SERVICES FOR REDHORSE CRM This article will walk you thru the initial configuration of SQL Server Reporting Services. Choosing an Instance Reporting Services is configured
More informationRun-time Environments. Lecture 13. Prof. Alex Aiken Original Slides (Modified by Prof. Vijay Ganesh) Lecture 13
Run-time Environments Lecture 13 by Prof. Vijay Ganesh) Lecture 13 1 What have we covered so far? We have covered the front-end phases Lexical analysis (Lexer, regular expressions,...) Parsing (CFG, Top-down,
More informationToday s topic CS347. Results list clustering example. Why cluster documents. Clustering documents. Lecture 8 May 7, 2001 Prabhakar Raghavan
Today s topic CS347 Clustering documents Lecture 8 May 7, 2001 Prabhakar Raghavan Why cluster documents Given a corpus, partition it into groups of related docs Recursively, can induce a tree of topics
More information