Fast and automated generation of attack signatures

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Fast and automated generation of attack signatures: a basis for building self-protecting servers

Full text

Pdf (180 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 12th ACM conference on Computer and communications security table of contents

Alexandria, VA, USA

SESSION: Intrusion detection and prevention table of contents

Pages: 213 - 222

Year of Publication: 2005

ISBN:1-59593-226-7

Authors

Zhenkai Liang	Stony Brook University, Stony Brook, NY
R. Sekar	Stony Brook University, Stony Brook, NY

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 20, Downloads (12 Months): 152, Citation Count: 13

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1102120.1102150 What is a DOI?

ABSTRACT

Large-scale attacks, such as those launched by worms and zombie farms, pose a serious threat to our network-centric society. Existing approaches such as software patches are simply unable to cope with the volume and speed with which new vulnerabilities are being discovered. In this paper, we develop a new approach that can provide effective protection against a vast majority of these attacks that exploit memory errors in C/C++ programs. Our approach, called COVERS, uses a forensic analysis of a victim server's memory to correlate attacks to inputs received over the network, and automatically develop a signature that characterizes inputs that carry attacks. The signatures tend to capture characteristics of the underlying vulnerability (e.g., a message field being too long) rather than the characteristics of an attack, which makes them effective against variants of attacks. Our approach introduces low overheads (under 10%), does not require access to source code of the protected server, and has successfully generated signatures for the attacks studied in our experiments, without producing false positives. Since the signatures are generated in tens of milliseconds, they can potentially be distributed quickly over the Internet to filter out (and thus stop) fast-spreading worms. Another interesting aspect of our approach is that it can defeat guessing attacks reported against address-space randomization and instruction set randomization techniques. Finally, it increases the capacity of servers to withstand repeated attacks by a factor of 10 or more.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	The PaX team. http://pax.grsecurity.net.
	2	A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashing attacks. In USENIX Annual Technical Conference, 2000.
	3	Elena Gabriela Barrantes , David H. Ackley , Trek S. Palmer , Darko Stefanovic , Dino Dai Zovi, Randomized instruction set emulation to disrupt binary code injection attacks, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948147]
	4	S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In USENIX Security, 2003.
	5	S. Bhatkar, R. Sekar, and D. DuVarney. Efficient techniques for com- prehensive protection from memory error exploits. In USENIX Security, 2005.
	6	S. Chen, J. Xu, E. Sezer, P. Gauriar, and R. Iyer. Non-control-hijacking attacks are realistic threats. In USENIX Security, 2005.
	7	T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks. In ICDCS, 2001.
	8	W. Cohen. Fast effective rule induction. In International Conference on Machine Learning, 1995.
	9	Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	10	C. Cowan et al. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security, 1998.
	11	H. Etoh and K. Yoda. Protecting from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp/main.html, 2000.
	12	Fu-Hau Hsu , Tzi-cker Chiueh, CTCP: A Transparent Centralized TCP/IP Architecture for Network Security, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), p.335-344, December 06-10, 2004 [doi>10.1109/CSAC.2004.14]
	13	Trevor Jim , J. Greg Morrisett , Dan Grossman , Michael W. Hicks , James Cheney , Yanling Wang, Cyclone: A Safe Dialect of C, Proceedings of the General Track: 2002 USENIX Annual Technical Conference, p.275-288, June 10-15, 2002
	14	R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Intl. Workshop on Automated Debugging, 1997.
	15	Gaurav S. Kc , Angelos D. Keromytis , Vassilis Prevelakis, Countering code-injection attacks with instruction-set randomization, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948146]
	16	H. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In USENIX Security, 2004.
	17	C. Kreibich and J. Crowcroft. Honeycomb -- creating intrusion detection signatures using honeypots. In HotNets-II, 2003.
	18	Zhenkai Liang , R. Sekar, Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models, Proceedings of the 21st Annual Computer Security Applications Conference, p.215-224, December 05-09, 2005 [doi>10.1109/CSAC.2005.12]
	19	M. Locasto, K. Wang, A. Keromytis, and S. Stolfo. FLIPS: Hybrid adaptive intrusion prevention. In RAID, 2005.
	20	George C. Necula , Scott McPeak , Westley Weimer, CCured: type-safe retrofitting of legacy code, Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.128-139, January 16-18, 2002, Portland, Oregon
	21	James Newsome , Brad Karp , Dawn Song, Polygraph: Automatically Generating Signatures for Polymorphic Worms, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.226-241, May 08-11, 2005 [doi>10.1109/SP.2005.15]
	22	J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.
	23	A. Pasupulati et al. Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities. In IEEE/IFIP Network Operation and Management Symposium, 2004.
	24	H. Patil and C. Fischer. Efficient run-time monitoring using shadow processing. International Workshop on Automated and Algorithmic Debugging, 1995.
	25	James C. Reynolds , James Just , Larry Clough , Ryan Maglich, On-Line Intrusion Detection and Attack Prevention Using Diversity, Generate-and-Test, and Generalization, Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9, p.335.2, January 06-09, 2003
	26	Martin Rinard , Cristian Cadar , Daniel Dumitran , Daniel M. Roy , Tudor Leu, A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other Memory Errors), Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), p.82-90, December 06-10, 2004 [doi>10.1109/CSAC.2004.2]
	27	O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In NDSS, 2004.
	28	R. Sekar , M. Bendre , D. Dhurjati , P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.144, May 14-16, 2001
	29	Hovav Shacham , Matthew Page , Ben Pfaff , Eu-Jin Goh , Nagendra Modadugu , Dan Boneh, On the effectiveness of address-space randomization, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA [doi>10.1145/1030083.1030124]
	30	Stelios Sidiroglou , Angelos D. Keromytis, Countering Network Worms Through Automatic Patch Generation, IEEE Security and Privacy, v.3 n.6, p.41-49, November 2005 [doi>08AEE859-E2A6-45B4-90A7-B480D9D7E2B2]
	31	S. Sidiroglou, M. Locasto, S. Boyd, and A. Keromytis. Building a reactive immune system for software services. In USENIX Annual Technical Conference, 2005.
	32	S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In OSDI, 2004.
	33	A. Smirnov and T. Chiueh. DIRA: Automatic detection, identification and repair of control-hijacking attacks. In NDSS, 2005.
	34	Snort. Open source network intrusion detection system. http://www.snort.org.
	35	A. Sovarel, D. Evans, and N. Paul. Where's the FEEB?: The effectiveness of instruction set randomization. In USENIX Security, 2005.
	36	Y. Tang and S. Chen. Defending against Internet worms: A signature-based approach. In INFOCOM, 2005.
	37	T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In RAID, 2002.
	38	Helen J. Wang , Chuanxiong Guo , Daniel R. Simon , Alf Zugenmaier, Shield: vulnerability-driven network filters for preventing known vulnerability exploits, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
	39	K. Wang and S. Stolfo. Anomalous payload-based network intrusion detection. In RAID, 2004.
	40	Jun Xu , Peng Ning , Chongkyung Kil , Yan Zhai , Chris Bookholt, Automatic diagnosis and response to memory corruption vulnerabilities, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA [doi>10.1145/1102120.1102151]
	41	Wei Xu , Daniel C. DuVarney , R. Sekar, An efficient and backwards-compatible transformation to ensure memory safety of C programs, Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering, October 31-November 06, 2004, Newport Beach, CA, USA
	42	V. Yegneswaran, J. Giffin, P. Barford, and S. Jha. An architecture for generating semantics-aware signatures. In USENIX Security, 2005.

CITED BY 13

	John Haggerty , David Llewellyn-Jones , Mark Taylor, FORWEB: file fingerprinting for automated network forensics investigations, Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop, January 21-23, 2008, Adelaide, Australia
	Haizhi Xu , Steve J. Chapin, Improving address space randomization with a dynamic offset randomization technique, Proceedings of the 2006 ACM symposium on Applied computing, April 23-27, 2006, Dijon, France
	Emre C. Sezer , Peng Ning , Chongkyung Kil , Jun Xu, Memsherlock: an automated debugger for unknown memory corruption vulnerabilities, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Emre C. Sezer , Peng Ning , Chongkyung Kil , Jun Xu, Memsherlock: an automated debugger for unknown memory corruption vulnerabilities, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Prahlad Fogla , Wenke Lee, Evading network anomaly detection systems: formal reasoning and practical techniques, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Michael E. Locasto , Angelos Stavrou , Gabriela F. Cretu , Angelos D. Keromytis, From STEM to SEAD: speculative execution for automated defense, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
	Burak Bayoglu , Ibrahim Sogukpinar, Polymorphic worm detection using token-pair signatures, Proceedings of the 4th international workshop on Security, privacy and trust in pervasive and ubiquitous computing, p.7-12, July 07-07, 2008, Sorrento, Italy
	Jun Xu , Peng Ning , Chongkyung Kil , Yan Zhai , Chris Bookholt, Automatic diagnosis and response to memory corruption vulnerabilities, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
	Janak J. Parekh , Ke Wang , Salvatore J. Stolfo, Privacy-preserving payload-based correlation for accurate malicious traffic detection, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.99-106, September 11-15, 2006, Pisa, Italy
	Yingbo Song , Michael E. Locasto , Angelos Stavrou , Angelos D. Keromytis , Salvatore J. Stolfo, On the infeasibility of modeling polymorphic shellcode, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Joseph Tucek , James Newsome , Shan Lu , Chengdu Huang , Spiros Xanthos , David Brumley , Yuanyuan Zhou , Dawn Song, Sweeper: a lightweight end-to-end system for defending against fast worms, ACM SIGOPS Operating Systems Review, v.41 n.3, June 2007
	Manuel Costa , Miguel Castro , Lidong Zhou , Lintao Zhang , Marcus Peinado, Bouncer: securing software by blocking bad input, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
	Zhiqiang Lin , Xuxian Jiang , Dongyan Xu , Bing Mao , Li Xie, AutoPaG: towards automated software patch generation with source code root cause identification and repair, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore