Fast and automated generation of attack signatures: A basis for building self-protecting servers

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2005, Pages 213-222

  Liang, Zhenkai ^a   Sekar, R ^a  

^a Stony Brook University   (United States)

Author keywords

Buffer overflow; Denial of service protection; Memory error; Signature generation; Worm defense

Indexed keywords

COMPUTER SOFTWARE; COMPUTER WORMS; SECURITY SYSTEMS; SERVERS; STATE SPACE METHODS;

BUFFER OVERFLOW; DENIAL-OF-SERVICE PROTECTION; MEMORY ERROR; SIGNATURE GENERATION; WORM DEFENSE;

DIGITAL SIGNAL PROCESSING;

EID: 33745800070     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (42)

1. The PaX team, http://pax.grsecurity.net.
2. A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashing attacks. In USENIX Annual Technical Conference, 2000.
3. E. Barrantes et al. Randomized instruction set emulation to disrupt binary code injection attacks. In ACM CCS, 2003.
4. S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In USENIX Security, 2003.
5. S. Bhatkar, R. Sekar, and D. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security, 2005.
6. S. Chen, J. Xu, E. Sezer, P. Gauriar, and R. Iyer. Non-control-hijacking attacks are realistic threats. In USENIX Security, 2005.
7. T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks. In ICDCS, 2001.
8. W. Cohen. Fast effective rule induction. In International Conference on Machine Learning, 1995.
9. M. Costa et al. Vigilante: End-to-end containment of Internet worms. In SOSP, 2005.
10. C. Cowan et al. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security, 1998.
11. H. Etoh and K. Yoda. Protecting from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp/main.html, 2000.
12. F. Hsu and T. Chiueh. CTCP: A centralized TCP/IP architecture for networking security. In ACSAC, 2004.
13. T. Jim et al. Cyclone: a safe dialect of C. In USENIX Annual Technical Conference, 2002.
14. R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Intl. Workshop on Automated Debugging, 1997.
15. G. Kc, A. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In ACM CCS, 2003.
16. H. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In USENIX Security, 2004.
17. C. Kreibich and J. Crowcroft. Honeycomb - creating intrusion detection signatures using honeypots. In HotNets-II, 2003.
18. Z. Liang and R. Sekar. Automatic generation of buffer overflow attack signatures: An approach based on program behavior models. In ACSAC, 2005.
19. M. Locasto, K. Wang, A. Keromytis, and S. Stolfo. FLIPS: Hybrid adaptive intrusion prevention. In RAID, 2005.
20. G. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In POPL, 2002.
21. J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE S&P, 2005.
22. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.
23. A. Pasupulati et al. Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities. In IEEE/IFIP Network Operation and Management Symposium, 2004.
24. H. Patil and C. Fischer. Efficient run-time monitoring using shadow processing. International Workshop on Automated and Algorithmic Debugging, 1995.
25. J. Reynolds, J. Just, L. Clough, and R. Maglich. On-line intrusion detection and attack prevention using diversity, generate-and-test, and generalization. In Hawaii International Conference on System Sciences, 2003.
26. M. Rinard, C. Cadar, D. Roy, and D. Dumitran. A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors). In ACSAC, 2004.
27. O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In NDSS, 2004.
28. R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A fast automaton-based method for detecting anomalous program behaviors. In IEEE S&P, 2001.
29. H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In ACM CCS, 2004.
30. S. Sidiroglou and A. Keromytis. Countering network worms through automatic patch generation. IEEE Security & Privacy, 2005.
31. S. Sidiroglou, M. Locasto, S. Boyd, and A. Keromytis. Building a reactive immune system for software services. In USENIX Annual Technical Conference, 2005.
32. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In OSDI, 2004.
33. A. Smimov and T. Chiueh. DIRA: Automatic detection, identification and repair of control-hijacking attacks. In NDSS, 2005.
34. Snort, Open source network intrusion detection system. http://www.snort.org.
35. A. Sovarel, D. Evans, and N. Paul. Where's the FEEB?: The effectiveness of instruction set randomization. In USENIX Security, 2005.
36. Y. Tang and S. Chen. Defending against Internet worms: A signature-based approach. In INFOCOM, 2005.
37. T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In RAID, 2002.
38. H. Wang, C. Guo, D. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In SIGCOMM, 2004.
39. K. Wang and S. Stolfo. Anomalous payload-based network intrusion detection. In RAID, 2004.
40. J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt. Automatic diagnosis and response to memory corruption vulnerabilities. In ACM CCS, 2005.
41. W. Xu, D. DuVarney, and R. Sekar, An efficient and backwards-compatible transformation to ensure memory safety of C programs, In FSE, 2004.
42. V. Yegneswaran, J. Giffin, P. Barford, and S. Jha. An architecture for generating semantics-aware signatures. In USENIX Security, 2005.