Argos: An Emulator for Fingerprinting Zero-Day Attacks for advertised honeypots with automatic signature generation

Operating Systems Review (ACM)

Volumn 40, Issue 4, 2006, Pages 15-27

  Portokalidis, Georgios ^a   Slowinska, Asia ^a   Bos, Herbert ^a  

^a VU UNIVERSITY AMSTERDAM   (Netherlands)

Author keywords

[No Author keywords available]

Indexed keywords

INTRUSION DETECTION;

AUTOMATIC SIGNATURE GENERATIONS; FALSE POSITIVE; GLOBAL SCALE; NETWORK INTRUSION DETECTION; NETWORKS AND SYSTEMS; OFF-LINE PROCESSING; SYSTEMS AND SOFTWARE; ZERO DAY ATTACK;

PROGRAM DEBUGGING;

EID: 85101182647     PISSN: 01635980     EISSN: None     Source Type: Journal    
DOI: 10.1145/1218063.1217938     Document Type: Article

References (43)

1. Diamondcs openports. http://www.diamondcs.com.au/openports/.
2. Basic Architecture, volume 1 of Intel Architecture Software Developer?s Manual. Intel Corporation, 1997.
3. Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 7(49), November 1996.
4. C. C. A. W. Alex Ho, Michael Fetterman and S. Hand. Practical taint-based protection using demand emulation. In Proc. of the 1st EuroSys Conference, Arpil 2006.
5. F. Bellard. QEMU, a fast and portable dynamic translator. In In Proc. of the USENIX Annual Technical Conference, pages 41-46, April 2005.
6. H. Bos, W. de Bruijn, M. Cristea, T. Nguyen, and G. Portokalidis. FFPF: Fairly Fast Packet Filters. In Proceedings of OSDI?04, San Francisco, CA, December 2004.
7. Bulba Kir. Bypassing Stackguard and Stackshield. Phrack Magazine, 10(56), January 2000.
8. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. of the 7th USENIX Security Symposium, 1998.
9. C. Cowan, M. Barringer, S. Beattie and G. Kroah-Hartman. FormatGuard: Automatic protection from printf format string vulnerabilities. In In Proc. of the 10th Usenix Security Symposium, August 2001.
10. C. Cowan, S. Beattie, J. Johansen and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In In Proc. of the 12th USENIX Security Symposium, pages 91-104, August 2003.
11. M. Conover. w00w00 on heap overflows. http://www.w00w00.org/articles.html, January 1999.
12. J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In In Proc. of the 37th annual International Symposium on Microarchitecture, pages 221-232, 2004.
13. J. R. Crandall, S. F. Wu, and F. T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In Intrusion and Malware Detection and Vulnerability Assessment: Second International Conference (DIMVA05), Vienna, Austria, July 2005.
14. W. Cui, V. Paxson, N. Weaver, and R. Katz. Protocol-independent adaptive replay of application dialog. In The 13th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2006.
15. D. Dagonand, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine and Henry Owen. HoneyStat: Local worm detection using honeypots. In In Proc. of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.
16. E. G. Barrantes, D.H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovix and D.D. Zovi. Randomized instruction set emulation to disrupt code injection attacks. In In Proc. of the 10th ACM Conference on Computer and Communications Security (CCS), pages 281-289, October 2003.
17. G. E. Suh, J. W. Lee, D. Zhang and S. Devadas. Secure program execution via dynamic information flow tracking. ACM SIGOPS Operating Systems Review, 38(5):86-96, December 2004. SESSION: Security.
18. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In In Proc. of the ACM Computer and Communications Security (CCS) Conference, pages 272-280, October 2003.
19. G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In In Proc. of the 5th USENIX Symposium on Operating Systems Design and Implementation (OSDD, 2002.
20. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In In Proc. of the 10th ISOC Symposium on Network and Distributed Systems Security (SNDSS), February 2003.
21. gera and riq. Advances in format string exploitation. Phrack Magazine, 11(59), July 2002.
22. H. Bos and K. Huang. Towards software-based signature detection for intrusion prevention on the network card. In Proc of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), 2005.
23. K. Hyang-Ah and B. Karp. Autograph: Toward automated, distributed worm signature detection. In In Proc. of the 13th USENIX Security Symposium, 2004.
24. J. C. Rabek, R. I. Khazan, S. M. Lewandowski and R. K. Cunningham. Detection of injected, dynamically generated, and obfuscated malicious code. In In Proc. of the ACM workshop on Rapid Malcode, 2003.
25. J. Etoh. GCC extension for protecting applications from stack-smashing attacks. Technical report, IBM, June 2000.
26. B. Jack. Remote windows kernel exploitation-step into the ring 0. eEye Digital Security Whitepaper, www.eeye.com/!data/publish/whitepapers/research/OT20050205.FILE.pdf, 2005.
27. C. Kreibich and J. Crowcroft. Honeycomb-creating intrusion detection signatures using honeypots. In 2nd Workshop on Hot Topics in Networks (HotNets-ID, 2003.
28. M. Costa, J. Crowcroft, M. Castro, A Rowstron, L. Zhou, L. Zhang and P. Barham. Vigilante: End-To-end containment of internet worms. In In Proc. of the 20th ACM Symposium on Operating Systems Principles (SOSP), Brighton, UK, October 2005.
29. M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In In Proc. of the 10th USENIX Security Symposium, pages 55-66, August 2001.
30. N. Dor, M. Rodeh, and M. Sagiv. CSSV: Towards a realistic tool for statically detecting all buffer overlows in C. In In Proc. of the ACM Conference on Object-Oriented Programming, Systems, Languages and Application, October 2003.
31. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proc. of the 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.
32. G. Portokalidis and H. Bos. SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots, (An extended version of this report was accepted by Elsevier Journal on Computer Networks, Special Issue on Security through Self-Protecting and Self-Healing Systems), TR IR-CS-015. Technical report, Vrije Universiteit Amsterdam, May 2005.
33. N. Provos. A virtual honeypot framework. In Proc. of the 13th USENIX Security Symposium, 2004.
34. rix. Smashing C++ VPTRS. Phrack Magazine, 10(56), January 2000.
35. M. Roesch. Snort-lightweight intrusion detection for networks. In Proc. of LISA ?99: 13th Systems Administration Conference, 1999.
36. S. Bhatkar, D.C. Du Varney and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In In Proc. of the 12th USENIX Security Symposium, pages 105-120, August 2003.
37. S. Singh, C. Estan, G. Varghese and S. Savage. Automated worm fingerprinting. In In Proc. of the 6th USENIX Symposium on Operating Systems Design and Implementation (OSDD, pages 45-60, 2004.
38. S. Sidiroglou and A. D. Keromytis. Using execution transactions to recover from buffer overflow attacks. Cucs-031-04, Columbia University, 2004.
39. D. Spyrit. Win32 buffer overows (location, exploitation, and prevention). Phrack 55, 1999.
40. V. P. Stuart Staniford and N. Weaver. How to 0wn the internet in your spare time. In Proc. of the 11th USENIX Security Symposium, 2002.
41. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In In Proc. of the 10th USENIX Security Symposium, pages 201-216, August 2001.
42. V. Kiriansky, D. Bruening and S. Amarasinghe. Secure execution via program shepherding. In In Proc. of the 11th USENIX Security Symposium, 2002.
43. M. M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. In Proc. of ACSAC Security Conference, Las Vegas, Nevada, 2002.