Authors: Helen J. Wang, Chuanxiong Guo, Daniel R

Slides:



Advertisements
Similar presentations
Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.
Advertisements

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lecture 11 Intrusion Detection (cont)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
DEEDS Meeting Oct., 26th 2006 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Summary.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Shield: Vulnerability-Driven End- Host Firewall for Preventing Known Vulnerability Attacks Sigcomm ’04.
Chapter 6: Packet Filtering
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
World Wide Web Hypertext model Use of hypertext in World Wide Web (WWW) WWW client-server model Use of TCP/IP protocols in WWW.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Experiment Management System CSE 423 Aaron Kloc Jordan Harstad Robert Sorensen Robert Trevino Nicolas Tjioe Status Report Presentation Industry Mentor:
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.
Internet Security and Firewall Design Chapter 32.
Mike Hsiao Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits Helen J. Wang, Chuanxiong Guo, Daniel R. Simon,
Security fundamentals Topic 10 Securing the network perimeter.
Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits By Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier.
Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits H. Wang, C. Guo, D. Simon, and A. Zugenmaier Microsoft Research.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Role Of Network IDS in Network Perimeter Defense.
Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Week #8 OBJECTIVES Chapter #5. CHAPTER 5 Making Networks Work Two Networking Models –OSI OPEN SYSTEMS INTERCONNECTION PROPOSED BY ISO –INTERNATIONAL STANDARDS.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Security fundamentals
CS457 Introduction to Information Security Systems
Working at a Small-to-Medium Business or ISP – Chapter 8
Secure Software Confidentiality Integrity Data Security Authentication
Self Healing and Dynamic Construction Framework:
Integrated Cyber October 16-17, 2017
Principles of Computer Security
Introduction to Networking
BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
Understanding the OSI Reference Model
James Logan CS526 Dr. Chow April 29, 2009
Information Security Session October 24, 2005
A Real-time Intrusion Detection System for UNIX
Chapter 8: Monitoring the Network
Cloud computing mechanisms
Internet Protocols IP: Internet Protocol
Firewalls.
Outline Chapter 2 (cont) OS Design OS structure
Chapter 29: Program Security
Chapter 15: File System Internals
Authors: Helen J. Wang, Chuanxiong Guo, Daniel R
6. Application Software Security
Presentation transcript:

Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits Authors: Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier Publication: ACM SIGCOMM, 2004 Presenter: YanYan Wang

Motivation To defense software vulnerabilities between vulnerability disclosure and software patching. To propose a first-line worm defense in the network stack using “shields” to safely delay the needs for installing software patch that removes vulnerabilities.

Why It Is Necessary People do not patch their systems for following reasons: Disruption Unreliability Irreversibility Unawareness

Shield Framework Vulnerability specific Exploit-generic installed at the end host Operates between application protocol layer and the transport layer Examines the incoming and outgoing traffic of vulnerable applications Corrects the traffic according to the vulnerability signature

Vulnerability Modeling A shield vulnerability signature describe the vulnerability state machine and how to recognize exploits in the vulnerable event. A shield policy specifies the vulnerability signature and actions needed to recognize an exploit. It is provided by the shield designers, mostly the application vulnerability vendor.

Vulnerability Modeling Application Message Pre-vulnerability State

Shield Architecture Goals for shield design: Minimize the state maintained Need to resist resource consumption attacks (e.g. DoS). Enough flexibility to support any application level protocol Separate policy from mechanism Design fidelity: Need to defend being an alternative target

Data Structure There are two main data structure: The application vulnerability state machine specifications (Spec) Instruct shield to emulate the application vulnerability state machine at run time Contents state machines specifics, port number, event and session info. Run time session states Includes current state of the session and other context info.

Components Policy loader Application dispatcher Session dispatcher Integrate new shield policy with existing one or created new Application dispatcher Determine which Spec. to refer to upon arrival of raw data based on port number. Session dispatcher Obtain the location of the session ID, message. type, message. Boundary marker, and extract message(s), dispatch the event to appropriate state machine instance.

Components (cont.) State machine instance Shield interpreter Give the new arrival event and the current state, consult with Spec., invoke the correspondent event handler and call shield interpret to decode the handler. Shield interpreter Find out how to parse application level protocol payload and examine for exploits from the handler, as well as drop packets, session tear-down, or setting the next state for current SMI.

Shield Architecture

Detailed Design Issue Scattered arrivals Out-of-Order arrivals Recognize multi-data arrival Out-of-Order arrivals Shield copy and passes to the application Max needs to be set in the policy Application Level Fragmentation The Spec needs to contain the location of the application level fragment ID

Shield Policy Language

Shield Policy Language Payload specification - Static States, events, state machine transition, and generic application level protocol info. Loaded into Spec. Handler specification – Run Time Handler specification and payload paring instructions Examine the packet payload, pinpoint any exploit, record the session context for later Syntax of the handlers and the payload format are parsed and stored in Spec. by policy loader

Implementation Shield Prototype Using WinSock2 LSP C++ Used vulnerability behind Slammer, MSBlast, CodeRed, and twelve other vulnerabilities from Microsoft security bulletins

Evaluation Applicability

Evaluation False Positives 36 cases for exhaustive testing SSRP protocol of SQL server 2000 No false positive Does not mean false positive-free

Strength Defend vulnerability without installing patches Non-invasive Exploit-generic Development of shield policy language Set potential standard

Weakness Only work for known vulnerability Need to manually generate signatures Vulnerability specific Does not work on all vulnerability Bugs deeply embedded in the application’s logic File-base vulnerability

Improvement Automated tool to generate signature More experiment on applications with vulnerability that does not apply to shield

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.