Packet Vaccine: Blackbox Exploit Detection and Signature Generation Authors: XiaoFeng Wang Zhuowei Li Jong Youl Choi School of Informatics, Indiana University.

Slides:

Advertisements

Similar presentations

The Transmission Control Protocol (TCP) carries most Internet traffic, so performance of the Internet depends to a great extent on how well TCP works.

Advertisements

Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Secure Content Delivery in Information-Centric Networks: Design, Implementation, and Analyses Computer Science Department New Mexico State University,

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

By Aaron Thomas. Quick Network Protocol Intro. Layers 1- 3 of the 7 layer OSI Open System Interconnection Reference Model  Layer 1 Physical Transmission.

Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

Dr. XiaoFeng Wang © SpyShield: Preserving Privacy from Spy Add-ons Zhuowei Li, XiaoFeng Wang and Jong Youl Choi Indiana University at Bloomington.

Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

IP-Geolocation Mapping for Moderately Connected Internet Regions.

Address Space Layout Permutation

Cross-Domain Privacy-Preserving Cooperative Firewall Optimization.

NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”

Security Evaluation of Pattern Classifiers under Attack.

Phoenix: Towards an Accurate, Practical and Decentralized Network Coordinate System Yang Chen 1, Xiao Wang 1, Xiaoxiao Song 1, Eng Keong Lua 2, Cong Shi.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Workload-driven Analysis of File Systems in Shared Multi-Tier Data-Centers over InfiniBand K. Vaidyanathan P. Balaji H. –W. Jin D.K. Panda Network-Based.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.

Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.

Combining Cryptographic Primitives to Prevent Jamming Attacks in Wireless Networks.

POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.

Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Packet Vaccine: Black-box Exploit Detection and Signature Generation

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Abstract Link error and malicious packet dropping are two sources for packet losses in multi-hop wireless ad hoc network. In this paper, while observing.

A System for Denial-of- Service Attack Detection Based on Multivariate Correlation Analysis.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Facilitating Document Annotation using Content and Querying Value.

Traffic Pattern-Based Content Leakage Detection for Trusted Content Delivery Networks.

Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Communications & Networks National 4 & 5 Computing Science.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Role Of Network IDS in Network Perimeter Defense.

Whole Test Suite Generation. Abstract Not all bugs lead to program crashes, and not always is there a formal specification to check the correctness of.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.

Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.

Fast Transmission to Remote Cooperative Groups: A New Key Management Paradigm.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

 Abstract  Introduction  Literature Survey  Conclusion on Literature Survey  Threat model and system architecture  Proposed Work  Attack Scenarios.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Under the Guidance of V.Rajashekhar M.Tech Assistant Professor

MadeCR: Correlation-based Malware Detection for Cognitive Radio

Computer Data Security & Privacy

Security Fundamentals

What is it and what does it do?

SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke

Lecture 3: Secure Network Architecture

Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.

Firewall Installation

Presentation transcript:

Packet Vaccine: Blackbox Exploit Detection and Signature Generation Authors: XiaoFeng Wang Zhuowei Li Jong Youl Choi School of Informatics, Indiana University at Bloomington. Jun Xu Google, Inc. Michael K. Reiter Computer Science Department, Electrical & Computer Engineering Department, Carnegie Mellon University Chongkyung Kil Department of Computer Science, North Carolina State University. Presented by: Walaa Akram Anwar

Problem Exploit: An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). This frequently includes such things as violently gaining control of a computer system or allowing privilege escalation or a denial of service attack.

Related Work Network anomaly detection (NAD) has been widely used to detect exploit attempts from network traffic. Earlybird, Honeycomb and Autograph: A typical network signature generators extract common substrings from attack dataflow as an exploit signature. TaintCheck, VSEF, Vigilante and DACODA: Host-based approaches make use of host information to detect anomalies and generate signatures.

Paper Solution Vaccine: is a weakened strain of a virus or bacterium that is intentionally injected into the body for the purpose of stimulating antibody production.

Problem Solution Cont. Vaccine generation is based upon ◦ Detection of anomalous packet payloads, e.g., a byte sequence resembling a jump address. ◦ randomization of selected contents. A vaccine can detect an exploit attempt, since it should now trigger an exception in a vulnerable program. Vulnerability diagnosis correlates the exception with the vaccine to acquire information regarding the exploit, in particular the corrupted pointer content and its location in the exploit packet. Using this information, the signature generation engine creates variations of the original exploit to probe the vulnerable program, in an effort to identify necessary exploit conditions for generation of a signature.

Paper Solution Cont. Correlations

Evaluation

Evaluation Cont. Two hosts were used in the experiment ◦ one for both the proxy and the test server ◦ The other for the web server. Both were equipped with 2.53GHz Intel Pentium 4 Processor and 1 GB RAM, and running Redhat Enterprise EL. They were interconnected through a 100MB switch.

Evaluation Cont. the performance of implementation from the following perspectives: ◦ Server overheads, where they compared the workload capacity of their implementation with that of an unprotected Apache server. ◦ Client-side delay, where they studied the average delay a client experiences under different test rates.

Evaluation Cont. (D0) Apache and the proxy on different hosts. 44% (D1) Apache on one host, and the proxy and packet vaccine on another. 29% (S0) Apache and the proxy on the same host. 43% (S1) Apache proxy and packet-vaccine all on the same host. 27% (0) Apache only.

Evaluation Cont.

The average delay for a local client increased almost linearly with the test rate. However, this result could be misleading, as the local client experienced much smaller round trip delay (RTD) than an average Internet user. The RTD in a campus we measured is around 300µs, while the average RTD on the Internet is much larger. Therefore, an Internet client's perception of the presence of packet vaccine could be completely overshadowed by the RTD.

Conclusion Gray-box analysis is accurate and applicable to commodity software. However, it incurs significant runtime overheads, often slowing the system by an order of magnitude. Packet Vaccine: a fast, blackbox technique for exploit detection, vulnerability diagnosis and signature generation.

Thank You 14