Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet Vaccine: Blackbox Exploit Detection and Signature Generation Authors: XiaoFeng Wang Zhuowei Li Jong Youl Choi School of Informatics, Indiana University.

Published byJocelin Nichols Modified over 8 years ago

Similar presentations

Presentation on theme: "Packet Vaccine: Blackbox Exploit Detection and Signature Generation Authors: XiaoFeng Wang Zhuowei Li Jong Youl Choi School of Informatics, Indiana University."— Presentation transcript:

1 Packet Vaccine: Blackbox Exploit Detection and Signature Generation Authors: XiaoFeng Wang Zhuowei Li Jong Youl Choi School of Informatics, Indiana University at Bloomington. Jun Xu Google, Inc. Michael K. Reiter Computer Science Department, Electrical & Computer Engineering Department, Carnegie Mellon University Chongkyung Kil Department of Computer Science, North Carolina State University. Presented by: Walaa Akram Anwar

2 Problem Exploit: An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). This frequently includes such things as violently gaining control of a computer system or allowing privilege escalation or a denial of service attack.

3 Related Work Network anomaly detection (NAD) has been widely used to detect exploit attempts from network traffic. Earlybird, Honeycomb and Autograph: A typical network signature generators extract common substrings from attack dataflow as an exploit signature. TaintCheck, VSEF, Vigilante and DACODA: Host-based approaches make use of host information to detect anomalies and generate signatures.

4 Paper Solution Vaccine: is a weakened strain of a virus or bacterium that is intentionally injected into the body for the purpose of stimulating antibody production.

5 Problem Solution Cont. Vaccine generation is based upon ◦ Detection of anomalous packet payloads, e.g., a byte sequence resembling a jump address. ◦ randomization of selected contents. A vaccine can detect an exploit attempt, since it should now trigger an exception in a vulnerable program. Vulnerability diagnosis correlates the exception with the vaccine to acquire information regarding the exploit, in particular the corrupted pointer content and its location in the exploit packet. Using this information, the signature generation engine creates variations of the original exploit to probe the vulnerable program, in an effort to identify necessary exploit conditions for generation of a signature.

6 Paper Solution Cont. Correlations

7 Evaluation

8 Evaluation Cont. Two hosts were used in the experiment ◦ one for both the proxy and the test server ◦ The other for the web server. Both were equipped with 2.53GHz Intel Pentium 4 Processor and 1 GB RAM, and running Redhat Enterprise 2.6.9-22.0.1.EL. They were interconnected through a 100MB switch.

9 Evaluation Cont. the performance of implementation from the following perspectives: ◦ Server overheads, where they compared the workload capacity of their implementation with that of an unprotected Apache server. ◦ Client-side delay, where they studied the average delay a client experiences under different test rates.

10 Evaluation Cont. (D0) Apache and the proxy on different hosts. 44% (D1) Apache on one host, and the proxy and packet vaccine on another. 29% (S0) Apache and the proxy on the same host. 43% (S1) Apache proxy and packet-vaccine all on the same host. 27% (0) Apache only.

11 Evaluation Cont.

12 The average delay for a local client increased almost linearly with the test rate. However, this result could be misleading, as the local client experienced much smaller round trip delay (RTD) than an average Internet user. The RTD in a campus we measured is around 300µs, while the average RTD on the Internet is much larger. Therefore, an Internet client's perception of the presence of packet vaccine could be completely overshadowed by the RTD.

13 Conclusion Gray-box analysis is accurate and applicable to commodity software. However, it incurs significant runtime overheads, often slowing the system by an order of magnitude. Packet Vaccine: a fast, blackbox technique for exploit detection, vulnerability diagnosis and signature generation.

14 Thank You 14

Download ppt "Packet Vaccine: Blackbox Exploit Detection and Signature Generation Authors: XiaoFeng Wang Zhuowei Li Jong Youl Choi School of Informatics, Indiana University."

Similar presentations

The Transmission Control Protocol (TCP) carries most Internet traffic, so performance of the Internet depends to a great extent on how well TCP works.

The Transmission Control Protocol (TCP) carries most Internet traffic, so performance of the Internet depends to a great extent on how well TCP works.
Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.

Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Secure Content Delivery in Information-Centric Networks: Design, Implementation, and Analyses Computer Science Department New Mexico State University,

Secure Content Delivery in Information-Centric Networks: Design, Implementation, and Analyses Computer Science Department New Mexico State University,
Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,
Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
By Aaron Thomas. Quick Network Protocol Intro. Layers 1- 3 of the 7 layer OSI Open System Interconnection Reference Model  Layer 1 Physical Transmission.

By Aaron Thomas. Quick Network Protocol Intro. Layers 1- 3 of the 7 layer OSI Open System Interconnection Reference Model  Layer 1 Physical Transmission.
Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.

Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
Dr. XiaoFeng Wang © SpyShield: Preserving Privacy from Spy Add-ons Zhuowei Li, XiaoFeng Wang and Jong Youl Choi Indiana University at Bloomington.

Dr. XiaoFeng Wang © SpyShield: Preserving Privacy from Spy Add-ons Zhuowei Li, XiaoFeng Wang and Jong Youl Choi Indiana University at Bloomington.
Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.

Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
IP-Geolocation Mapping for Moderately Connected Internet Regions.

IP-Geolocation Mapping for Moderately Connected Internet Regions.
Address Space Layout Permutation

Address Space Layout Permutation

Similar presentations

Ads by Google