Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
10.1145/1180405.1180412acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Packet vaccine: black-box exploit detection and signature generation

Published: 30 October 2006 Publication History

Abstract

In biology,a vaccine is a weakened strain of a virus or bacterium that is intentionally injected into the body for the purpose of stimulating antibody production.Inspired by this idea, we propose a packet vaccine mechanism that randomizes address-like strings in packet payloads to carry out fast exploit detection, vulnerability diagnosis and signature generation. An exploit with a randomized jump address behaves like a vaccine: it will likely cause an exception in a vulnerable program's process when attempting to hijack the control flow,and thereby expose itself. Taking that exploit as a template, our signature generator creates a set of new vaccines to probe the program, in an attempt to uncover the necessary conditions for the exploit to happen. A signature is built upon these conditions to shield the underlying vulnerability from further attacks. In this way, packet vaccine detects and fllters exploits in a black-box fashion,i.e., avoiding the expense of tracking the program's execution flow. We present the design of the packet vaccine mechanism and an example of its application. We also describe our proof-of-concept implementation and the evaluation of our technique using real exploits.

References

[1]
K. G. Anagnostakis, S. Siridoglou, P. Akritidis, K. Xinidis, E. Markatos, and A. Keromytis. Detecting targeted attacks using shadow honeypots.In Proceedings of USENIX Security Symposium 2005 August 2005.
[2]
J. H. Barton, E. W. Czeck, Z. Z. Segall, and D. P. Siewiorek. Fault injection experiments using FIAT. IEEE Trans. Comput. 39(4):575--582, 1990.
[3]
David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha. Towards automatic generation of vulnerability-based signatures.In Proceedings of the 2006 IEEE Symposium on Security and Privacy 2006.
[4]
George J. Carrette. CRASHME: Random input testing. http://people.delphiforums.com/gjc/crashme.html as of March, 2006.

Cited By

View all
  • (2019)ERES: an extended regular expression signature for polymorphic worm detectionJournal of Computer Virology and Hacking Techniques10.1007/s11416-019-00330-115:3(177-194)Online publication date: 26-Apr-2019
  • (2019)File Guard: automatic format-based media file sanitizationInternational Journal of Information Security10.1007/s10207-019-00440-3Online publication date: 6-Jun-2019
  • (2019)Malware Deception with Automatic Analysis and Generation of HoneyResourceAutonomous Cyber Deception10.1007/978-3-030-02110-8_11(209-235)Online publication date: 3-Jan-2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '06: Proceedings of the 13th ACM conference on Computer and communications security
October 2006
434 pages
ISBN:1595935185
DOI:10.1145/1180405
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2006

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. black-box defense
  2. exploit detection
  3. signature generation
  4. vaccine injection
  5. worm

Qualifiers

  • Article

Conference

CCS06
Sponsor:
CCS06: 13th ACM Conference on Computer and Communications Security 2006
October 30 - November 3, 2006
Virginia, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)9
  • Downloads (Last 6 weeks)0
Reflects downloads up to 25 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2019)ERES: an extended regular expression signature for polymorphic worm detectionJournal of Computer Virology and Hacking Techniques10.1007/s11416-019-00330-115:3(177-194)Online publication date: 26-Apr-2019
  • (2019)File Guard: automatic format-based media file sanitizationInternational Journal of Information Security10.1007/s10207-019-00440-3Online publication date: 6-Jun-2019
  • (2019)Malware Deception with Automatic Analysis and Generation of HoneyResourceAutonomous Cyber Deception10.1007/978-3-030-02110-8_11(209-235)Online publication date: 3-Jan-2019
  • (2017)Identifying vulnerabilities in smart gric communication networks of electrical substations using GEESE 2.02017 IEEE 26th International Symposium on Industrial Electronics (ISIE)10.1109/ISIE.2017.8001232(111-116)Online publication date: Jun-2017
  • (2015)Automatic signature generation for polymorphic worms by combination of token extraction and sequence alignment approaches2015 7th Conference on Information and Knowledge Technology (IKT)10.1109/IKT.2015.7288733(1-6)Online publication date: May-2015
  • (2014)Malware Protection on RFID-Enabled Supply Chain Management Systems in the EPCglobal NetworkCrisis Management10.4018/978-1-4666-4707-7.ch058(1166-1188)Online publication date: 2014
  • (2014)Sound input filter generation for integer overflow errorsACM SIGPLAN Notices10.1145/2578855.253588849:1(439-452)Online publication date: 8-Jan-2014
  • (2014)Sound input filter generation for integer overflow errorsProceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages10.1145/2535838.2535888(439-452)Online publication date: 11-Jan-2014
  • (2014)A Survey on Zero-Day Polymorphic Worm Detection TechniquesIEEE Communications Surveys & Tutorials10.1109/SURV.2014.022714.0016016:3(1520-1549)Online publication date: Nov-2015
  • (2014)Feedback-based smartphone strategic sampling for BYOD security2014 23rd International Conference on Computer Communication and Networks (ICCCN)10.1109/ICCCN.2014.6911814(1-8)Online publication date: Aug-2014
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media