Shield: Vulnerability-driven network filters for preventing known vulnerability exploits

Computer Communication Review

Volumn 34, Issue 4, 2004, Pages 193-204

  Wang, Helen J ^a   Guo, Chuanxiong ^a   Simon, Daniel R ^a   Zugenmaier, Alf ^a  

^a MICROSOFT RESEARCH   (United States)

Author keywords

Generic Protocol Analyzer; Network Filter; Patching; Vulnerability Signature; Worm Defense

Indexed keywords

COMPUTER SOFTWARE; COMPUTER WORMS; ENCODING (SYMBOLS); NETWORK PROTOCOLS; PROBLEM SOLVING; SECURITY OF DATA; TELECOMMUNICATION TRAFFIC;

GENERIC PROTOCOL ANALYZERS; NETWORK FILTERS; PATCHES; VULNERABILITY SIGNATURE; WORM DEFENSE;

DIGITAL FILTERS;

EID: 21844456680     PISSN: 01464833     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1030194.1015489     Document Type: Conference Paper

References (49)

1. W. A. Arbaugh, W. L. Fithen, and J. McHugh. Windows of Vulnerability, a Case Study Analysis. IEEE Computer, 2000.
2. Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright. Timing the application of security patches for optimal uptime. In LISA XVI, November 2002.
3. William Bush, Jonathan D. Pincus, and David J. Sielaff. A Static Analyzer for Finding Dynamic Programming Errors. Software-Practice and Experience (SP&E), 2000.
4. Byacc. http://dickey.his.com/byacc/byacc.html.
5. H. Chen and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th Usenix Security Symposium, 2004.
6. Z. Chen, L. Gao, and K. Kwiat. Modeling the Spread of Active Worms. In Proceedings of IEEE Infocom, 2003.
7. Microsoft Security Bulletin MS01-033, November 2003. http://www. microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ MS01-033.asp.
8. Microsoft Corp. URLScan Security Tool.http://www.microsoft.com/technet/ security/URLScan.asp.
9. Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of 7th USENIX Security Conference, 1998.
10. David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, Julian Grizzard, John Levine, and Henry Owen. HoneyStat: LocalWorm Detection Using Honeypots. In RAID, 2004.
11. O. Dubuisson. ASN.1 - Communication Between Heterogeneous Systems, Morgan Kaufmann Publishers, 2000.
12. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol -HTTP/1.1 (RFC 2616), June 1999.
13. Alan O. Freier, Philip Karlton, and Paul C. Kocher. The SSL Protocol Version 3.0. http://wp.netscape.com/eng/ssl3/ssl-toc.html.
14. Mark Handley, Vern Paxson, and Christian Kreibich. Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In Proceedings of USENIX Security Symposium, August 2001.
15. Hung-Yun Hsieh and Raghupathy Sivakumar. A transport layer approach for achieving aggregate bandwidths on multi-homed mobile hosts. In ACM Mobicom, September 2002.
16. Anthony Jones and Jim Ohlund. Network Programming for Microsoft Windows. Microsoft Publishing, 2002.
17. J. Klensin. Simple Mail Transfer Protocol (RFC 8821), April 2001.
18. C. Kreibich and J. Crowcroft. Honeycomb: Creating Intrusion Detection Signatures Using Honeypots. In HotNets-II, 2003.
19. David Litchfleld. Defeating the stack based buffer overflow prevention mechanism of microsoft windows 2003 server. http://www.nextgenss.com/papers.htm, September 2003.
20. G. Robert Malan, David Watson, and Farnam Jahanian. Transport and application protocol scrubbing. In Proceedings of IEEE Infocom, 2000.
21. P. J. McCann and S. Chandra. PacketTypes: Abstract Specification of Network Protocol Messages. In Proceedings of ACM SIGCOMM, 2000.
22. David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. Inside the Slammer Worm. http://www.computer. org/security/v1n4/j4wea.htm, 2003.
23. David Moore, Colleen Shannon, and Jeffery Brown. Code-Red: a case study on the spread and victims of an Internet worm. In ACM Internet Measurement Workshop (IMW), 2002.
24. Microsoft Security Bulletin MS03-026, September 2003. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS03-026.asp.
25. S. W. O'Malley, T. A. Proebsting, and A. B. Montz. USC: A Universal Stub Compiler. In Proceedings of ACM SIGCOMM, 1994.
26. Vern Paxson. Flex - a scanner generator - Table of Contents. http://www.gnu.org/software/flex/manual/.
27. Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Computer Networks, Dec 1999.
28. Jonathan Pincus and Brandon Baker. Mitigations for Low-level Coding Vulnerabilities: Incomparability and Limitations. http://research.microsoft.com/ users/jpincus/mitigations.pdf, 2004.
29. J. Postel and J. Reynolds. Telnet Protocol Specification (RFC 854), May 1983.
30. J. Postel and J. Reynolds. RFC 165 - File Transfer Protocol (FTP), October 1985.
31. Niels Provos. A Virtual Honeypot Framework. Technical Report CITI-03-1, Center for Information Technology Integration, University of Michigan, October 2003.
32. Thomas H. Ptacek and Timothy N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection, January 1998. http://www.insecure.org/stf/secnet_ids/secnet_ids.html.
33. Eric Rescorla. Security holes... Who cares? In Proceedings of USENIX Security Symposium, August 2003.
34. DCE 1.1: Remote Procedure Call. http://www.opengroup.org/onlinepubs/ 9629399/.
35. W32.Sasser.Worm, April 2004. http://securityresponse.symantec.com/ avcenter/venc/data/w32.sasser.worm.html.
36. H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson. RTP: A Transport Protocol for Real-Time Applications (RFC 1889), January 1996.
37. Umesh Shankar and Vern Paxson. Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In Proceedings of IEEE Symposium on Security and Privacy, May 2003.
38. Richard Sharpe. Server message block. http://samba.anu.edu.au/cifs/docs/ what-is-smb.html.
39. Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage. The EarlyBird System for Real-time Detection of Unknown Worms. Technical Report CS2003-0761, University of California at San Diego, 2003.
40. Microsoft security bulletin ms02-039, January 2003. http://www.microsoft. com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp.
41. The Open Source Network Intrusion Detection System. http://www.snort.org/ .
42. Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, August 2002.
43. Peter Szor and Peter Ferrie. Hunting for Metamorphic. Symantec Security Response.
44. David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. In NDSS, 2000.
45. Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham. Large Scale Malicious Code: A Research Agenda. http://www.cs.berkeley.edu/ ~nweaver/large_scale_malicious_code.pdf, 2003.
46. Nicholas Weaver, Stuart Staniford, and Vern Paxson. Very Fast Containment of Scanning Worms, 2004. http://www.icsi.berkeley.edu/nweaver/containment/.
47. Nick Weaver. The potential for very fast internet plagues. http://www.cs.berkeley.edu/~nweaver/warhol.html.
48. Matthew M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. Technical Report HPL-2002-172, HP Labs Bristol, 2002.
49. Rafal Wojtczuk. Defeating Solar Designer's Non-executable Stack Patch. http://www.insecure.org/sploits/non-executable.stack.problems.html, January 1998.