Publication Abstract

Rabek, J. C., Cunningham, R. K., Khazan, R. I., Detecting Privilege-Escalating Executable Exploits, ICDM Workshop on Data Mining for Computer Security, Melbourne, Florida, USA, November 2003.

Abstract

The Lincoln Laboratory Malicious Code Detector (LIMACODE) is a system for statically detecting privilege-escalating exploits in data streams, such as files and network traffic. LIMACODE operates as follows: it scans data streams, identifies the language of the stream, then extracts language-specific features for input to a feed-forward neural network classifier which labels the stream as either malicious or benign. LIMACODE is designed to be a relatively lightweight system that can classify a large number of streams quickly so as to be deployed at sites where new data streams (e.g., software) appear frequently. This paper describes a part of LIMACODE that detects privilege-escalating exploits embedded in UNIX Executable and Linking Format (ELF) files; the detectors for C and shell code exploits were described earlier elsewhere.