Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities

Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and faster Internet worms can be coded and launched easily by even high school students anytime against our critical infrastructures, such as DNS...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507) Jg. 1; S. 235 - 248 Vol.1
Hauptverfasser:	Pasupulati, A., Coit, J., Levitt, K., Wu, S.F., Li, S.H., Kuo, J.C., Fan, K.P.
Format:	Tagungsbericht
Sprache:	Englisch
Veröffentlicht:	Piscataway NJ IEEE 2004
Schlagworte:	Applied sciences Buffer overflow Computer science Computer science; control theory; systems Computer systems and distributed systems. User interface Computer worms Cryptography Educational institutions Exact sciences and technology Internet Intrusion detection Memory and file management (including protection and security) Memory organisation. Data processing Software Testing Web server Wire Overflow(computer arithmetics) Critical system Updating Vulnerability Network management Internet Distributed system Buffer system Computer security Computer attack Polymorphism Intrusion detection systems
ISBN:	0780382307, 9780780382305
ISSN:	1542-1201
Online-Zugang:	Volltext
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

Abstract	Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and faster Internet worms can be coded and launched easily by even high school students anytime against our critical infrastructures, such as DNS or update servers. We believe that polymorphic Internet worms will be developed in the future such that many of our current solutions might have a very small chance to survive. In this paper, we propose a simple solution called "Buttercup" to counter against attacks based on buffer-overflow exploits (such as CodeRed, Nimda, Slammer, and Blaster). We have implemented our idea in SNORT, and included 19 return address ranges of buffer-overflow exploits. With a suite of tests against 55 TCPdump traces, the false positive rate for our best algorithm is as low as 0.01%. This indicates that, potentially, Buttercup can drop 100% worm attack packets on the wire while only 0.01% of the good packets will be sacrificed.
AbstractList	Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and faster Internet worms can be coded and launched easily by even high school students anytime against our critical infrastructures, such as DNS or update servers. We believe that polymorphic Internet worms will be developed in the future such that many of our current solutions might have a very small chance to survive. In this paper, we propose a simple solution called "Buttercup" to counter against attacks based on buffer-overflow exploits (such as CodeRed, Nimda, Slammer, and Blaster). We have implemented our idea in SNORT, and included 19 return address ranges of buffer-overflow exploits. With a suite of tests against 55 TCPdump traces, the false positive rate for our best algorithm is as low as 0.01%. This indicates that, potentially, Buttercup can drop 100% worm attack packets on the wire while only 0.01% of the good packets will be sacrificed.
Author	Li, S.H. Wu, S.F. Fan, K.P. Coit, J. Pasupulati, A. Levitt, K. Kuo, J.C.
Author_xml	– sequence: 1 givenname: A. surname: Pasupulati fullname: Pasupulati, A. organization: Dept. of Comput. Sci., California Univ., Davis, CA, USA – sequence: 2 givenname: J. surname: Coit fullname: Coit, J. organization: Dept. of Comput. Sci., California Univ., Davis, CA, USA – sequence: 3 givenname: K. surname: Levitt fullname: Levitt, K. organization: Dept. of Comput. Sci., California Univ., Davis, CA, USA – sequence: 4 givenname: S.F. surname: Wu fullname: Wu, S.F. organization: Dept. of Comput. Sci., California Univ., Davis, CA, USA – sequence: 5 givenname: S.H. surname: Li fullname: Li, S.H. – sequence: 6 givenname: J.C. surname: Kuo fullname: Kuo, J.C. – sequence: 7 givenname: K.P. surname: Fan fullname: Fan, K.P.
BackLink	http://pascal-francis.inist.fr/vibad/index.php?action=getRecordDetail&idt=17625768$$DView record in Pascal Francis
BookMark	eNpFkEtLw0AYRQesYFv9AeImG5ep88g84k6LL6h2YfdlHt_gaJoJM0lL_72BCq4u3Hu4izNDkza2gNA1wQtCcH33sX7_XFCMqwVhRApBz9AMS4WZogzLCZoSXtGSUEwu0Czn75GUmOEp2jwOfQ_JDt19Eduihf4Q009pdAZXOOjB9mHsoy-62Bx3MXVfwRZm8B5SEfeQfBMPxX5oWkjahCb0AfIlOve6yXD1l3O0eX7aLF_L1frlbfmwKgPHqtTUQ8W9pE5y7J1QWtjagJAcuAPNiMeOudpQZTSnzAk9EsI65eqqMoazObo93XY6W934pFsb8rZLYafTcTt6oFwKNXI3Jy4AwP98EsV-AQNWYGw
ContentType	Conference Proceeding
Copyright	2006 INIST-CNRS
Copyright_xml	– notice: 2006 INIST-CNRS
DBID	6IE 6IH CBEJK RIE RIO IQODW
DOI	10.1109/NOMS.2004.1317662
DatabaseName	IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan (POP) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP) 1998-present Pascal-Francis
DatabaseTitleList
Database_xml	– sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher
DeliveryMethod	fulltext_linktorsrc
Discipline	Engineering Computer Science Applied Sciences
EndPage	248 Vol.1
ExternalDocumentID	17625768 1317662
Genre	orig-research
GroupedDBID	29I 6IE 6IH 6IK 6IL 6IN AAWTH ABLEC ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IJVOP M43 OCL RIE RIL RIO AAJGR AAVQY IQODW
ID	FETCH-LOGICAL-i508-a2fe45f72d750fd68a6c9be675e5dea31f0d3d9b28ba523d6a8a66cd8d944bb53
IEDL.DBID	RIE
ISBN	0780382307 9780780382305
ISSN	1542-1201
IngestDate	Sun Oct 22 16:07:47 EDT 2023 Tue Aug 26 18:27:23 EDT 2025
IsPeerReviewed	false
IsScholarly	true
Keywords	Overflow(computer arithmetics) Critical system Updating Vulnerability Network management Internet Distributed system Buffer system Computer security Computer attack Polymorphism Intrusion detection systems
Language	English
License	CC BY 4.0
LinkModel	DirectLink
MeetingName	NOMS 2004 (Application sessions)
MergedId	FETCHMERGED-LOGICAL-i508-a2fe45f72d750fd68a6c9be675e5dea31f0d3d9b28ba523d6a8a66cd8d944bb53
PageCount	14
ParticipantIDs	ieee_primary_1317662 pascalfrancis_primary_17625768
PublicationCentury	2000
PublicationDate	20040000 2004
PublicationDateYYYYMMDD	2004-01-01
PublicationDate_xml	– year: 2004 text: 20040000
PublicationDecade	2000
PublicationPlace	Piscataway NJ
PublicationPlace_xml	– name: Piscataway NJ
PublicationTitle	2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)
PublicationTitleAbbrev	NOMS
PublicationYear	2004
Publisher	IEEE
Publisher_xml	– name: IEEE
SSID	ssj0047030 ssj0000395674
Score	1.5331264
Snippet	Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and...
SourceID	pascalfrancis ieee
SourceType	Index Database Publisher
StartPage	235
SubjectTerms	Applied sciences Buffer overflow Computer science Computer science; control theory; systems Computer systems and distributed systems. User interface Computer worms Cryptography Educational institutions Exact sciences and technology Internet Intrusion detection Memory and file management (including protection and security) Memory organisation. Data processing Software Testing Web server Wire
Title	Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities
URI	https://ieeexplore.ieee.org/document/1317662
Volume	1
hasFullText	1
inHoldings	1
isFullTextHit
isPrint
link	http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV05T8MwFH4qFQMshVJEOSoPjKTN4TgJK6JioVSiQzfk41mqVJKqbYr499hOeiCxsCWKo0TP9jvsz98HcE-ZpApT5lFuphsVoTBTKmZeyjHUQSaQRtyJTSSjUTqdZuMGPOzOwiCiA59h3166vXxVyNIulQ2CyNIZGod7lCSsOqu1W0_xI5Pp21Sm8sLUjmTHlUqteIcfuJI99e22l5_UzDvb-7je7gz8bDB6e313ZWO__lotu2JBk3xl7KYrwYuDKDRs_e__z6CzP85HxrtAdQ4NzNvQ2uo5kHp6t-H0gJzwAiaVhrUsF4-kyEle4cU9G_YUUbh2GK6cFJosivn3Z2E6bCaJKK3gCrHAUD0vvsimnFteawfBNUV5BybD58nTi1drMHgzk7p5PNRIY52EymQWWrGUM2k60FQZGCvkUaB9FalMhKngpqRVjJsWTKpUZZQKEUeX0MyLHK-AhKGfSIGZYEpTppEnMkaWxSZDRY2B6sKFtdjHomLZ-KiN1YXeL7vvnxs3boul67_fu4GTCmRjV0tuoblelngHx3Kznq2WPTd2fgDTx8Bi
linkProvider	IEEE
linkToHtml	http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1bS8MwFD6MKagv6jbxOvPgo9Ve0rT1VRwTtzlwD76NXE5gMNuhq-K_N0nrpuCLby1NKT1JziX58n0AF5RJqjBlHuVmulERCjOlYualHEMdZAJpxJ3YRDIapc_P2bgBl6uzMIjowGd4ZS_dXr4qZGmXyq6DyNIZGoe7EVMa-tVprdWKih-ZXN8mM5UfpnYsO7ZUauU7_MAV7alvN778pObe-b6P6w3PwM-uR4_DJ1c4XtXfq4VXLGySvxnL6Ury4kcc6u3-7w_2oLM-0EfGq1C1Dw3MW7D7rehA6gnegp0f9IRtmFQq1rJc3JAiJ3mFGPds4FNE4dKhuHJSaLIo5p8vhemymSSitJIrxEJD9bz4IO_l3DJbOxCuKcs7MOndTW77Xq3C4M1M8ubxUCONdRIqk1toxVLOpOlCU2dgrJBHgfZVpDIRpoKbolYxblowqVKVUSpEHB1AMy9yPAQShn4iBWaCKU2ZRp7IGFkWmxwVNQbqCNrWYtNFxbMxrY11BN1fdl8_N47clkvHf793Dlv9yXAwHdyPHk5gu4Lc2LWTU2guX0s8g035vpy9vXbdOPoCAzjDqQ
openUrl	ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2004+IEEE%2FIFIP+Network+Operations+and+Management+Symposium+%28IEEE+Cat.+No.04CH37507%29&rft.atitle=Buttercup%3A+on+network-based+detection+of+polymorphic+buffer+overflow+vulnerabilities&rft.au=Pasupulati%2C+A.&rft.au=Coit%2C+J.&rft.au=Levitt%2C+K.&rft.au=Wu%2C+S.F.&rft.date=2004-01-01&rft.pub=IEEE&rft.isbn=9780780382305&rft.issn=1542-1201&rft.volume=1&rft.spage=235&rft.epage=248+Vol.1&rft_id=info:doi/10.1109%2FNOMS.2004.1317662&rft.externalDocID=1317662
thumbnail_l	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1542-1201&client=summon
thumbnail_m	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1542-1201&client=summon
thumbnail_s	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1542-1201&client=summon