Pattern Mining for Future Attacks

Malware writers are constantly looking for new vulnerabilities in popular software applications to exploit for profit, and discovering such a flaw is literally equivalent to finding a gold mine. When a completely new vulnerability is found, and turned into what are called Zero Day attacks, they can often be critical and lead to data loss or breach of privacy. Zero Day vulnerabilities, by their very nature are notoriously hard to find, and the odds seem to be stacked in favour of the attacker. However, before a Zero Day attack is discovered, attackers stealthily test different payload delivery methods and their obfuscated variants, in an attempt to outsmart anti-malware protection, with varying degrees of success. Evidence of such failed attempts, if any, are available on the victim machines, and the challenge is to discover their signatures before they can be turned into exploits. Our goal in this paper is to search for such vulnerabilities and straighten the odds. We focus on Javascript files, and using a combination of pattern mining and learning, effectively find two new Zero Day vulnerabilities in Microsoft Internet Explorer, using code collected between June and November 2009.