XMiner: Nip the zero day exploits in the bud

Proceedings - 2011 IEEE International Symposium on Network Computing and Applications, NCA 2011

Volumn , Issue , 2011, Pages 99-106

  Zubair Rafique, M ^a   Abulaish, Muhammad ^a  

^a KING SAUD UNIVERSITY   (Saudi Arabia)

Author keywords

Feature extraction; Machine learning; Network security; Vulnerability exploits detection

Indexed keywords

DATA SETS; DECISION TREE CLASSIFIERS; DETECTION SYSTEM; DIFFERENT PROTOCOLS; DISCRIMINATIVE FEATURES; LIGHTWEIGHT DESIGN; MACHINE-LEARNING; MALICIOUS ACTIVITIES; MALICIOUS PACKETS; MEMORY RESOURCES; NETWORK MESSAGES; REAL TIME; REAL-WORLD DATASETS; REMOTE SERVERS; RESOURCECONSTRAINED DEVICES; SMART PHONES; VULNERABILITY EXPLOITS DETECTION;

DECISION TREES; FEATURE EXTRACTION; HTTP; INTERNET PROTOCOLS; MARKOV PROCESSES; PRINCIPAL COMPONENT ANALYSIS;

NETWORK SECURITY;

EID: 80055006379     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/NCA.2011.21     Document Type: Conference Paper

References (41)

1. H. Wang, C. Guo, D. Simon, and A. Zugenmaier, "Shield: Vulnerability-driven network filters for preventing known vulnerability exploits," in ACM SIGCOMM Computer Communication Review, vol. 34, no. 4. ACM, 2004, pp. 193-204. (Pubitemid 40954880)
2. A. Matrosov, E. Rodionov, D. Harley, and J. Malcho, "Stuxnet Under the Microscope," eset, September 2010. [Online]. Available: http://www.eset.com/resources/white-papers/Stuxnet-Under-the-Microscope.pdf
3. "United Press International UPI," January 2009. [Online]. Available: http://www.upi.com/Top-News/2009/01/25/Virus-strikes-15-million-PCs/ UPI-19421232924206/
4. "Microsoft Security Bulletin MS01-033," November 2003. [Online]. Available: http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/security/bulletin/MS01-033.asp.
5. "Microsoft security bulletin ms02-039," January 2003. [Online]. Available: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/bulletin/MS02-039.asp.
6. "Microsoft Security Bulletin MS03-026," September 2003. [Online]. Available: http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/security/bulletin/MS03-026.asp.
7. "W32. Sasser. Worm," April 2004. [Online]. Available: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html.
8. M. Rafique, A. Akbar, and M. Farooq, "Evaluating dos attacks against sip-based voip systems," in Proceedings of 28th Global Telecommunications Conference (GLOBECOM). IEEE, HI, USA, 2009, pp. 1-6.
9. C. Mulliner and C. Miller, "Fuzzing the Phone in your Phone," Black Hat USA, 2009.
10. M. Z. Rafique and M. Farooq, "INVITE of Death, Remote DoS Vulnerabiltiy in OpenSBC Server," February 2009. [Online]. Available: http://ims-bisf.nexginrc.org/OpenSBC-vul.html
11. "Remote DoS on Cisco IoS," 2009. [Online]. Available: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2867.
12. "Remote DoS on Asterisks SIP Server," 2007. [Online]. Available: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1306.
13. "Remote Code Execution on Video-Confernce Framework in Apple Mac OS," 2007. [Online]. Available: http://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2007-0746.
14. SANS-Institute, "SANS Top-20 2007 Security Risks," 2007. [Online]. Available: http://www.sans.org/top20/
15. M. Roesch, "Snort-lightweight intrusion detection for networks," in Proceedings of the 13th USENIX conference on System administration. Seattle, WA, USA, 1999, pp. 229-238.
16. V. Paxson, "Bro: A system for detecting network intruders in real-time," Comput. Networks, vol. 31, no. 23, pp. 2435-2463, 1999.
17. "Hogwash." [Online]. Available: http://sourceforge.net/ projects/hogwash/.
18. H. Abdelnur et al., "KiF: a stateful SIP fuzzer," in Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications. ACM, NY, USA, 2007, pp. 47-56.
19. D. Aitel, "An Introduction to SPIKE, the Fuzzer Creation Kit," immunity inc. white paper, 2004.
20. The-VoIP-Network, "VoIP Market Trends," 2008, http://www.the-voip-network.com/voipmarket.html.
21. M. Crotti, M. Dusi, F. Gringoli, and L. Salgarelli, "Traffic classification through simple statistical fingerprinting," ACM SIGCOMM Computer Communication Review, vol. 37, no. 1, pp. 5-16, 2007.
22. "Protecting Internet Data Centers," http://www.arbornetworks. com/dmdocuments/AB-PIDC-EN-Web.pdf.
23. S. Niccolini, R. Garroppo, S. Giordano, G. Risi, and S. Ventura, "SIP intrusion detection and prevention: recommendations and prototype implementation," in 1st IEEE Workshop on VoIP Management and Security, 2006, pp. 47-52.
24. V. Apte, Y. Wu, S. Bagchi, S. Garg, and N. Singh, "Space Dive: A Distributed Intrusion Detection System for Voice-over-IP Environments," DSN 2006, p. 222.
25. D. Geneiatakis, G. Kambourakis, C. Lambrinoudakis, T. Dagiuklas, and S. Gritzalis, "A framework for protecting a SIP-based infrastructure against malformed message attacks," Computer Networks, vol. 51, no. 10, pp. 2580-2593, 2007. (Pubitemid 46678900)
26. R. Pang, V. Paxson, R. Sommer, and L. Peterson, "binpac: A yacc for writing application protocol parsers," in Proceedings of the 6th ACM SIGCOMM conference on Internet measurement. ACM, NY, USA, 2006, pp. 289-300. (Pubitemid 47165611)
27. N. Borisov, D. Brumley, H. Wang, J. Dunagan, P. Joshi, and C. Guo, "A generic application-level protocol analyzer and its language," in 14h Symposium on Network and Distributed System Security (NDSS), 2007.
28. P. Dussel, C. Gehl, P. Laskov, and K. Rieck, "Incorporation of Application Layer Protocol Syntax into Anomaly Detection," in Proceedings of the 4th International Conference on Information Systems Security. Springer-Verlag, 2008, pp. 188-202.
29. K. Ingham, A. Somayaji, J. Burge, and S. Forrest, "Learning DFA representations of HTTP for protecting web applications," Computer Networks, vol. 51, no. 5, pp. 1239-1255, 2007. (Pubitemid 46131444)
30. K. Rieck, S. Wahl, P. Laskov, P. Domschitz, and K. Muller, "A self-learning system for detection of anomalous sip messages," in Principles, Systems and Applications of IP Telecommunications (IPTCOMM), Second International Conference, LNCS. Springer, 2008, pp. 90-106.
31. C. Kruegel and G. Vigna, "Anomaly detection of web-based attacks," in Proceedings of the 10th ACM conference on Computer and communications security. ACM, NY, USA, 2003, pp. 251-261. (Pubitemid 40673807)
32. F. Ahmed, H. Hameed, M. Shafiq, and M. Farooq, "Using spatio-temporal information in API calls with machine learning algorithms for malware detection," in Proceedings of the 2nd ACM workshop on Security and artificial intelligence. ACM, 2009, pp. 55-62.
33. S. Forrest, S. Hofmeyr, A. Somayaji, T. Longstaff et al., "A sense of self for unix processes," in IEEE Symposium on Security and Privacy. IEEE COMPUTER SOCIETY, 1996, pp. 120-128.
34. D. Gao, M. Reiter, and D. Song, "Behavioral distance measurement using hidden markov models," Lecture Notes in Computer Science, vol. 4219, p. 19, 2006.
35. K. Rieck and P. Laskov, "Language models for detection of unknown attacks in network traffic," Journal in Computer Virology, vol. 2, no. 4, pp. 243-256, 2007.
36. K. Wang, J. Parekh, and S. Stolfo, "Anagram: A content anomaly detector resistant to mimicry attack," in Recent Advances in Intrusion Detection. Springer, 2006, pp. 226-248. (Pubitemid 44617855)
37. K. Wang and S. Stolfo, "Anomalous payload-based network intrusion detection," in Recent Advances in Intrusion Detection. Springer, 2004, pp. 203-222. (Pubitemid 39741895)
38. KrakowLabs, "HTTP compliant client and server fuzzer," http://www.krakowlabs.com/dev.html.
39. INFIGO-Information-Security, "FTP Fuzzer," http://www.infigo. hr/files/.
40. J. Leon, "FTP buffer overflow vulnerabilities," http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2006-05/msg00004. html.
41. M. Z. Rafique and A. Yaqub, "SIP Security Evaluation Tool," http://www.ims-bisf.nexginrc.org/SIPTool.php.