Accurately Detecting Source Code of Attacks That Increase Privilege
نویسندگان
چکیده
Host-based Intrusion Detection Systems (IDS) that rely on audit data exhibit a delay between attack execution and attack detection. A knowledgeable attacker can use this delay to disable the IDS, often by executing an attack that increases privilege. To prevent this we have begun to develop a system to detect these attacks before they are executed. The system separates incoming data into several categories, each of which is summarized using feature statistics that are combined to estimate the posterior probability that the data contains attack code. Our work to date has focused on detecting attacks embedded in shell code and C source code. We have evaluated this system by constructing large databases of normal and attack software written by many people, selecting features and training classifiers, then testing the system on a disjoint corpus of normal and attack code. Results show that such attack code can be detected accurately.
منابع مشابه
Understanding and Detecting Concurrency Attacks
Just like bugs in single-threaded programs can lead to vulnerabilities, bugs in multithreaded programs can also lead to concurrency attacks. Unfortunately, there is little quantitative data on how well existing tools can detect these attacks. This paper presents the first quantitative study on concurrency attacks and their implications on tools. Our study on 10 widely used programs reveals 26 c...
متن کاملDwarf Frankenstein is still in your memory: tiny code reuse attacks
Code reuse attacks such as return oriented programming and jump oriented programming are the most popular exploitation methods among attackers. A large number of practical and non-practical defenses are proposed that differ in their overhead, the source code requirement, detection rate and implementation dependencies. However, a usual aspect among these methods is consideration of the common be...
متن کاملDesign for Security : Measurement , Analysis
Security vulnerabilities pose a serious threat to computer systems and network infrastructures. This dissertation addresses the measurement and analysis of security vulnerabilities and their impact, as well as the design of several techniques for vulnerability mitigation. The research starts with the analysis of the security vulnerabilities published in the Bugtraq list and CERT advisories. An ...
متن کاملUnderstanding and Detecting Concurrency Attacks
Just like bugs in single-threaded programs can lead to vulnerabilities, bugs in multithreaded programs can also lead to concurrency attacks. Unfortunately, there is little quantitative data on how well existing tools can detect these attacks. This paper presents the first quantitative study on concurrency attacks and their implications on tools. Our study on 10 widely used programs reveals 26 c...
متن کاملDetection of Lightweight Directory Access Protocol Query Injection Attacks in Web Applications
The Lightweight Directory Access Protocol (LDAP) is a common protocol used in organizations for Directory Service. LDAP is popular because of its features such as representation of data objects in hierarchical form, being open source and relying on TCP/IP, which is necessary for Internet access. However, with LDAP being used in a large number of web applications, different types of LDAP injecti...
متن کامل