Abstract
Current exploit detection techniques are designed based on expert observations, manual analysis, and heuristic-like techniques. Because of the manual process for creating such defences, they are usually limited in the number of exploit techniques that can be detected. Machine Learning-based techniques offer greater promise to detect zero-day exploits. Current research in the use of machine learning for unknown attack detection is limited to intrusion detection and malware analysis, limited research is available for the detection of exploits targeting zero-day vulnerabilities using machine learning methods. These limitations stem from the lack of extensive datasets that are tailored for the problem of software exploitation. In this paper, we introduce a method and toolset for creating exploit traces datasets. Our approach allows capturing full traces of benign software under exploitation and recording of the vulnerable threads within an application, providing a comprehensive view of program execution. We evaluated our method and tools on 13 unique and distinct applications and recorded their traces while they were under attack. Our approach was able to successfully trace 53% of the applications and was able to detect the exploit payloads in 71% of the applications that were successfully traced.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Mandiant-Threat-Intelligence-Research: Think fast: time between disclosure, patch release and vulnerability exploitation — intelligence for vulnerability management, Part Two|FireEye Inc. https://www.fireeye.com/blog/threat-research/2020/04/time-between-disclosure-patch-release-and-vulnerability-exploitation.html. Accessed 13 Jan 2021
Gupta, S., Pratap, P., Saran, H.: Dynamic code instrumentation to detect and recover from instrumentation, pp. 65–71 (2006)
Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 574–588 (2013). https://doi.org/10.1109/SP.2013.45
Jia, X., Zhang, C., Su, P., Yang, Y., Huang, H., Feng, D.: Towards efficient heap overflow discovery. In: Proceedings of 26th USENIX Conference on Security Symposium, pp. 989–1006 (2017)
Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.): RAID 2016. LNCS, vol. 9854. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2
Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: Proceedings of the 23rd USENIX conference on Security Symposium, p. 256 (2014)
Haider, W., Creech, G., Xie, Y., Hu, J.: Windows based data sets for evaluation of robustness of Host based Intrusion Detection Systems (IDS) to zero-day and stealth attacks. Future Internet 8, 29 (2016). https://doi.org/10.3390/fi8030029
Creech, G., Hu, J.: A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns. IEEE Trans. Comput. 63, 807–819 (2014). https://doi.org/10.1109/TC.2013.13
1998 DARPA Intrusion Detection Evaluation Dataset|MIT Lincoln Laboratory. https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-dataset. Accessed 1 Feb 2021
1999 DARPA Intrusion Detection Evaluation Dataset|MIT Lincoln Laboratory. https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-dataset. Accessed 1 Feb 2021
(MIT), Massachusetts Institute of Technology: MIT Lincoln Laboratory: DARPA Intrusion Detection Evaluation. https://archive.ll.mit.edu/ideval/docs/attackDB.html#secret. Accessed 1 Feb 2021
IDS 2018|Datasets|Research|Canadian Institute for Cybersecurity|UNB. https://www.unb.ca/cic/datasets/ids-2018.html. Accessed 1 Feb 2021
Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. In: Proceedings of IEEE CS Security and Privacy Workshops, SPW 2013, pp. 98–104 (2013). https://doi.org/10.1109/SPW.2013.37
Elsabagh, M., Barbara, D., Fleck, D., Stavrou, A.: Detecting ROP with statistical learning of program characteristics. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 219–226. ACM, New York, NY, USA (2017). https://doi.org/10.1145/3029806.3029812
Li, X., Hu, Z., Fu, Y., Chen, P., Zhu, M., Liu, P.: ROPNN: detection of ROP payloads using deep neural networks (2018)
Snort - Network Intrusion Detection & Prevention System, https://www.snort.org/. Accessed 1 Feb 2021
Suárez-Tangil, G., Dash, S.K., GarcÃa-Teodoro, P., Camacho, J., Cavallaro, L.: Anomaly-based exploratory analysis and detection of exploits in android mediaserver. IET Inf. Secur. 12, 1 (2018). https://doi.org/10.1049/iet-ifs.2017.0460
Desktop Operating System Market Share Worldwide|StatCounter Global Stats. https://gs.statcounter.com/os-market-share/desktop/worldwide. Accessed 5 Apr 2021
PassMark CPU Benchmarks - AMD vs Intel Market Share. https://www.cpubenchmark.net/market_share.html. Accessed 5 Apr 2021
Project Zero: About Project Zero. https://googleprojectzero.blogspot.com/p/about-project-zero.html. Accessed 6 Apr 2021
Chen, Y., Lin, Z., Xing, X.: A systematic study of elastic objects in Kernel exploitation. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 1165–1184 (2020). https://doi.org/10.1145/3372297.3423353
Introducing Kernel Data Protection, a new platform security technology for preventing data corruption - Microsoft Security. https://www.microsoft.com/security/blog/2020/07/08/introducing-kernel-data-protection-a-new-platform-security-technology-for-preventing-data-corruption/. Accessed 6 Apr 2021
Intel® 64 and IA-32 Architectures Software Developer Manuals. https://software.intel.com/content/www/us/en/develop/articles/intel-sdm.html. Accessed 6 Apr 2021
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Youssef, A., Abdelrazek, M., Karmakar, C., Baig, Z. (2021). Tracing Software Exploitation. In: Yang, M., Chen, C., Liu, Y. (eds) Network and System Security. NSS 2021. Lecture Notes in Computer Science(), vol 13041. Springer, Cham. https://doi.org/10.1007/978-3-030-92708-0_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-92708-0_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92707-3
Online ISBN: 978-3-030-92708-0
eBook Packages: Computer ScienceComputer Science (R0)