Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities

Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and faster Internet worms can be coded and launched easily by even high school students anytime against our critical infrastructures, such as DNS...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507) Ročník 1; s. 235 - 248 Vol.1
Hlavní autoři: Pasupulati, A., Coit, J., Levitt, K., Wu, S.F., Li, S.H., Kuo, J.C., Fan, K.P.
Médium: Konferenční příspěvek
Jazyk:angličtina
Vydáno: Piscataway NJ IEEE 2004
Témata:
Applied sciences
Buffer overflow
Computer science
Computer science; control theory; systems
Computer systems and distributed systems. User interface
Computer worms
Cryptography
Educational institutions
Exact sciences and technology
Internet
Intrusion detection
Memory and file management (including protection and security)
Memory organisation. Data processing
Software
Testing
Web server
Wire
Overflow(computer arithmetics)
Critical system
Updating
Vulnerability
Network management
Internet
Distributed system
Buffer system
Computer security
Computer attack
Polymorphism
Intrusion detection systems
ISBN:0780382307, 9780780382305
ISSN:1542-1201
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and faster Internet worms can be coded and launched easily by even high school students anytime against our critical infrastructures, such as DNS or update servers. We believe that polymorphic Internet worms will be developed in the future such that many of our current solutions might have a very small chance to survive. In this paper, we propose a simple solution called "Buttercup" to counter against attacks based on buffer-overflow exploits (such as CodeRed, Nimda, Slammer, and Blaster). We have implemented our idea in SNORT, and included 19 return address ranges of buffer-overflow exploits. With a suite of tests against 55 TCPdump traces, the false positive rate for our best algorithm is as low as 0.01%. This indicates that, potentially, Buttercup can drop 100% worm attack packets on the wire while only 0.01% of the good packets will be sacrificed.
ISBN:0780382307
9780780382305
ISSN:1542-1201
DOI:10.1109/NOMS.2004.1317662