Springer Nature is making Coronavirus research free. View research | View latest news | Sign up for updates

Accurate and efficient exploit capture and classification

快速准确的Exploit自动捕获与分类方法和系统

  • 175 Accesses

  • 5 Citations

Abstract

Software exploits, especially zero-day exploits, are major security threats. Every day, security experts discover and collect numerous exploits from honeypots, malware forensics, and underground channels. However, no easy methods exist to classify these exploits into meaningful categories and to accelerate diagnosis as well as detailed analysis. To address this need, we present SeismoMeter, which recognizes both control-flowhijacking, and data-only attacks by combining approximate control-flow integrity, fast dynamic taint analysis and API sandboxing schemes. Once it detects an exploit incident, SeismoMeter generates a succinct data representation, called an exploit skeleton, to characterize the captured exploit. SeismoMeter then classifies the captured exploits into different exploit families by performing distance computing on the extracted skeletons. To evaluate the efficiency of SeismoMeter, we conduct a field test using exploit samples from public exploit databases, such as Metasploit, as well as wild-captured exploits. Our experiments demonstrate that SeismoMeter is a practical system that successfully detects and correctly classifies all these exploit attacks.

创新点

Exploit(特别是0day Exploit)已经成为计算机安全最严重的威胁之一。当下,安全研究人员每天都在面对从蜜罐系统、取证系统以及地下市场中搜集来的大量的Exploit。然而缺乏一个快速有效的方法来分析这些搜集来的Exploit。我们实现了SeismoMeter,能够识别劫持控制流的Exploit攻击。同时我们结合了污点分析以及API沙盒来进一步提升攻击识别准确率。在检测到Exploit攻击时,SeismoMeter根据攻击对捕获到的Exploit 建立Exploit Skeleton。 然后根据这些建立起来的Exploit Skeleton对Exploit 进行分类。我们使用通用的渗透测试平台Metasploit等对SeismoMeter进行了测试,同时我们还用野外捕获的Exploit进行测试。实验结果证明SeismoMeter能够快速并且正确的检测Exploit攻击同时分类Exploit。

This is a preview of subscription content, log in to check access.

References

  1. 1

    Portokalidis G, Slowinska A, Bos H. Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. In: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems. New York: ACM, 2006. 15–27

  2. 2

    Bailey M, Cooke E, Watson D, et al. A hybrid honeypot architecture for scalable network monitoring. University of Michigan Technical Report CSE-TR-499-04. 2006

  3. 3

    Kreibich C, Crowcroft J. Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Comput Commun Rev, 2004, 34: 51–56

  4. 4

    Spitzner L. Honeypots: concepts, approaches, and challenges. In: Proceedings of the 45th Annual Southeast Regional Conference. New York: ACM, 2007. 321–326

  5. 5

    Diebold P, Hess A, Schäfer G. A honeypot architecture for detecting and analyzing unknown network attacks. In: Proceedings of Kommunikation in Verteilten Systemen (KiVS). Berlin: Springer, 2005. 245–255

  6. 6

    Nazario J. Phoney C: a virtual client honeypot. In: Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. Berkeley: USENIX Association, 2009. 6

  7. 7

    Cole E. Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Massachusetts: Syngress, 2012. 18–25

  8. 8

    Cowan C, Pu C, Maier D, et al. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th Conference on USENIX Security Symposium. Berkeley: USENIX Association, 1998. 346–335

  9. 9

    Microsoft Corp. Data Execution Prevention. Microsoft Knowledge Base KB875352. 2013

  10. 10

    PaX Team. PaX Address Space Layout Randomization (ASLR). Pax Team Report. 2003

  11. 11

    Crandall J, Su Z D. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005. 235–248

  12. 12

    Li Z, Sanghi M, Chen Y, et al. Network-based and attack-resillient lenght signature generator for zero-day polymorphic worms. In: Proceedings of the 15th IEEE International Conference on Network Protocols. Calfornia: IEEE Computer Society, 2007. 164–173

  13. 13

    Joshi A, King S, Dunlap G, et al. Detecting Past and Present Intrusions Through Vulnerability-specific Predicates. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles. New York: ACM, 2005. 91–104

  14. 14

    Zhang M W, Prakash A, Li X L, et al. Identifying and analyzing pointer misuses for sophisticated memory-corruption exploit diagnosis. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium. Virginia: Internet Society, 2012

  15. 15

    Dacier M, Leita C, Thonnard O, et al. Cyber Situational Awareness. Berlin: Springer, 2010. 130–136

  16. 16

    Fogla P, Sharif M, Perdisci R, et al. Polymorphic blending attacks. In: Proceedings of the 15th USENIX Security Symposium. Berkeley: USENIX Association, 2006. 241–256

  17. 17

    Gundy M, Balzarotti D, Vigna G. Catch me if you can: evading network signatures with web-based polymorphic worms. In: Proceedings of the 1st USENIX Workshop on Offesive Technologies. Berkeley: USENIX Association, 2007. 7

  18. 18

    Bania P. Evading network-level emulation. Computing Research Repository, 2007. abs/0906.1

  19. 19

    Szekeres L, Payer M, Wei T, et al. Sok: eternal war in memory. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2013. 48–62

  20. 20

    Chen S, Xu J, Sezer E, et al. Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium. Berkeley: USENIX Association, 2005. 12–24

  21. 21

    Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005. 340–353

  22. 22

    Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 31st IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2010. 317–337

  23. 23

    Symantec Corporation. Internet security threat report. Symantec Corporation Technical Report. 2012

  24. 24

    Dunlap G, King S, Cinar S, et al. ReVirt: enabling intrusion analysis through virtual-machine logging and replay. In: Proceedings of Symposium on Operating Systems Design and Implementation. New York: ACM, 2002. 211–224

  25. 25

    Xu M, Malyguin V, Sheldon J, et al. Retrace: collecting execution trace with virtual machine deterministic replay. In: Proceedings of the 3rd Annual Workshop on Modeling, Benchmarking and Simulation. New York: ACM, 2007. 4–24

  26. 26

    Shacham H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM, 2007. 552–561

  27. 27

    Agrawal H, Horgan J, Krauser E, et al. Incremental regression testing. In: Proceedings of the Conference on Software Maintenance. Washington DC: IEEE Computer Society, 1993. 348–357

  28. 28

    Dinaburg A, Royal P, Sharif M, et al. Ether: malware analysis via hardware virtualization extensions. In: Proceedings of 15th ACM Conference on Computer and Communications Security. New York: ACM, 2008. 51–62

  29. 29

    Luk C, Cohn R, Muth R, et al. Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM, 2005. 190–200

  30. 30

    Kemerlis V, Portokalidis G, Jee K, et al. libdft: practical dynamic data flow tracking for commodity systems. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments. New York: ACM, 2012. 121–132

  31. 31

    Blazakis D. Interpreter exploitation. In: Proceedings of the 4th USENIX Conference on Offensive Technologies. Berkeley: USENIX Association, 2010. 1–9

  32. 32

    Wei T, Mao J, Zou W, et al. A new algorithm for identifying loops in decompilation, In: Proceedings of the 14th International Conference on Static Analysis. Berlin/Heidelberg: Springer-Verlag, 2007. 170–183

  33. 33

    Levenshtein V. Binary codes capable of correcting deletions, insertions and reversals. Sov Phys Dokl, 1966, 10: 707–710

  34. 34

    Chen K Z J, Gu G F, Zhuge J W, et al. WebPatrol: automated collection and replay of web-based malware scenarios. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2011. 186–195

  35. 35

    Yu Y. DEP/ASLR bypass without ROP/JIT. 13th Annual CanSecWest Conference Report. 2013

  36. 36

    Clause J, Li WC, Orso A. Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis. New York: ACM, 2007. 196–206

  37. 37

    Tucek J, Newsome J, Lu S, et al. Sweeper: a lightweight end-to-end system for defending against fast worms. In: Proceedings of ACM SIGOPS/EuroSys European Conference on Computer Systems. New York: ACM, 2007. 115–128

  38. 38

    Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity principles, implementations, and applications. ACM Trans Inform Syst Secur, 2009, 13: 1–40

  39. 39

    Yee B, Sehr D, Dardyk G. Native client: a sandbox for portable, untrusted x86 native code. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2009. 79–93

  40. 40

    Erlingsson U, Valley S, Abadi M, et al. XFI: software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Berkeley: USENIX Association, 2006. 75–88

  41. 41

    Castro M, Costa M, Martin J, et al. Fast byte-granularity software fault isolation, In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. New York: ACM, 2009. 45–58

  42. 42

    Wang Z, Jiang X X. HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 31st IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2010. 380–395

  43. 43

    Lattner C, Adve V. LLVM: a compilation framework for lifelong program analysis & transformation. In: Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization. Washington DC: IEEE Computer Society, 2004. 75–86

  44. 44

    Bletsch T, Jiang X X, Freeh V. Mitigating code-reuse attacks with control-flow locking. In: Proceedings of the 27th Annual Computer Security Applications Conference. New York: ACM, 2011. 353–362

  45. 45

    Wang L J, Li Z C, Chen Y, et al. Thwarting zero-day polymorphic worms with network-level length-based signature generation. Trans Netw, 2010, 18: 53–66

  46. 46

    Wang H J, Guo C X, Simon D R, et al. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In: Proceedings of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. New York: ACM, 2004. 193–204

  47. 47

    Mason J, Small S, Monrose F, et al. English shellcode. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. New York: ACM, 2009. 524–533

  48. 48

    Wang R W, Ning P, Xie T, et al. Metasymploit: day-one defense against script-based attacks with security-enhanced symbolic analysis. In: Proceedings of the 22nd USENIX Conference on Security. Berkeley: USENIX Association, 2013. 65–80

  49. 49

    Newsome J, Brumley D, Song D. Vulnerability-specific execution filtering for exploit prevention on commodity software. In: Proceedings of the 13th Symposium on Network and Distributed System Security. Virginia: Internet Society, 2005

  50. 50

    Newsome J, Brumley D, Song D. Towards automatic generation of vulnerability-based signatures. In: Proceedings of the 27th IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2006. 2–16

  51. 51

    Newsome J. Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2005. 226–241

  52. 52

    Liang Z K, Sekar R. Automatic generation of buffer overflow attack signatures: an approach based on program behavior models. In: Proceedings of the 21st Annual Computer Security Applications Conference. Washington DC: IEEE Computer Society, 2005. 215–224

  53. 53

    Liang Z K, Sekar R. Fast and automated generation of attack signatures: a basis for building self-protecting servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005. 213–222

Download references

Author information

Correspondence to Xinhui Han.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Ding, Y., Wei, T., Xue, H. et al. Accurate and efficient exploit capture and classification. Sci. China Inf. Sci. 60, 052110 (2017). https://doi.org/10.1007/s11432-016-5521-0

Download citation

Keywords

  • software security
  • exploit classification
  • exploit attack capture
  • control flow integrity
  • JIT security
  • 052110

关键词

  • Exploit攻击
  • 入侵检测
  • Exploit分类
  • JIT编译
  • 漏洞利用