NSA ICPC Challenge 2022

Contests/ NSA ICPC Challenge 2022/ Problems/ Find the Malicious Bytes part 4
Log in
Hide

Problem D
Find the Malicious Bytes part 4

Background

A company named VitaminC has the job of detecting current and new variations of network viruses and exploits. They have been given access to client companies’ networks so that IP traffic may be monitored for malicious data traversing the network. They detect this malicious data by looking for virus signatures (a sequence of bytes that have been linked to a known virus).

VitaminC has recently been tasked with identifying IP addresses that are potentially sending malicious packets for further analysis. They have been provided a virus signature (byte sequence) for a known virus that they want to flag within network traffic. The network traffic they have received has been parsed out in such that the only fields available are the IP address and some data bytes.

VitaminC is developing a more advanced predictive capability that looks for viruses with modified byte sequences attempting to hide via obfuscation. Obfuscation modifies byte sequences such that a direct comparison will not match the virus signature. A malicious actor may pad a virus with extra bytes throughout in order to disguise the original virus.

Part 4

This scenario is a combination of parts 2 and 3. VitaminC has not been given the malicious string. VitaminC has identified packets that appear to be infected and packets that appear to not be affected. Based on the identified good and bad packets, VitaminC needs to determine a possible malicious string sequence that is found in the infected packets, but not in the good packets. VitaminC needs to also account for signature obscurity.

Input

The input is in three sections, separated by a blank line. The first section is samples of malicious byte sequences. The second section are samples of non-malicious bytes sequences. The third section contains IP addresses and their associated byte sequences. Input can be 3000 plus bytes per line.

Output

Output is a list of one or more IP addresses. One per line.

Sample Input 1 Sample Output 1 
12 34 75 74 fe 23 43 53
12 34 89 ab fe 87 ab 74
12 12 34 74 ab 34 cc cc
11 31 75 cd 12 34 74 aa

12 34 75 ab 12 23 43 53
12 35 74 ac fe 87 ab 74
12 34 d4 ab fe 34 cc cc
12 36 74 bb 11 aa cc aa

192.168.0.23 0a 12 74 34 fe 12 34 74
192.168.0.23 0a 23 12 ab fe 12 34 56
192.168.0.23 0a 12 77 34 34 12 74 56
192.168.0.23 0a 23 74 ab fe 12 34 56
192.168.0.27 0a 12 34 d4 23 79 ab 56
192.168.0.31 12 23 79 34 75 12 34 76
192.168.0.27 0a 23 79 ab fe 12 34 56
192.168.0.33 0a 74 12 0b 34 12 74 12

192.168.0.23
192.168.0.33
Hide

Please log in to submit a solution to this problem

Log in