Skip to main content
SpringerLink
Log in

Tracing Software Exploitation

  • Conference paper
  • First Online:
Network and System Security (NSS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13041))

Included in the following conference series:

Abstract

Current exploit detection techniques are designed based on expert observations, manual analysis, and heuristic-like techniques. Because of the manual process for creating such defences, they are usually limited in the number of exploit techniques that can be detected. Machine Learning-based techniques offer greater promise to detect zero-day exploits. Current research in the use of machine learning for unknown attack detection is limited to intrusion detection and malware analysis, limited research is available for the detection of exploits targeting zero-day vulnerabilities using machine learning methods. These limitations stem from the lack of extensive datasets that are tailored for the problem of software exploitation. In this paper, we introduce a method and toolset for creating exploit traces datasets. Our approach allows capturing full traces of benign software under exploitation and recording of the vulnerable threads within an application, providing a comprehensive view of program execution. We evaluated our method and tools on 13 unique and distinct applications and recorded their traces while they were under attack. Our approach was able to successfully trace 53% of the applications and was able to detect the exploit payloads in 71% of the applications that were successfully traced.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Mandiant-Threat-Intelligence-Research: Think fast: time between disclosure, patch release and vulnerability exploitation — intelligence for vulnerability management, Part Two|FireEye Inc. https://www.fireeye.com/blog/threat-research/2020/04/time-between-disclosure-patch-release-and-vulnerability-exploitation.html. Accessed 13 Jan 2021

  2. Gupta, S., Pratap, P., Saran, H.: Dynamic code instrumentation to detect and recover from instrumentation, pp. 65–71 (2006)

    Google Scholar 

  3. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 574–588 (2013). https://doi.org/10.1109/SP.2013.45

  4. Jia, X., Zhang, C., Su, P., Yang, Y., Huang, H., Feng, D.: Towards efficient heap overflow discovery. In: Proceedings of 26th USENIX Conference on Security Symposium, pp. 989–1006 (2017)

    Google Scholar 

  5. Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.): RAID 2016. LNCS, vol. 9854. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2

    Book  Google Scholar 

  6. Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: Proceedings of the 23rd USENIX conference on Security Symposium, p. 256 (2014)

    Google Scholar 

  7. Haider, W., Creech, G., Xie, Y., Hu, J.: Windows based data sets for evaluation of robustness of Host based Intrusion Detection Systems (IDS) to zero-day and stealth attacks. Future Internet 8, 29 (2016). https://doi.org/10.3390/fi8030029

  8. Creech, G., Hu, J.: A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns. IEEE Trans. Comput. 63, 807–819 (2014). https://doi.org/10.1109/TC.2013.13

    Article  MathSciNet  MATH  Google Scholar 

  9. 1998 DARPA Intrusion Detection Evaluation Dataset|MIT Lincoln Laboratory. https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-dataset. Accessed 1 Feb 2021

  10. 1999 DARPA Intrusion Detection Evaluation Dataset|MIT Lincoln Laboratory. https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-dataset. Accessed 1 Feb 2021

  11. (MIT), Massachusetts Institute of Technology: MIT Lincoln Laboratory: DARPA Intrusion Detection Evaluation. https://archive.ll.mit.edu/ideval/docs/attackDB.html#secret. Accessed 1 Feb 2021

  12. IDS 2018|Datasets|Research|Canadian Institute for Cybersecurity|UNB. https://www.unb.ca/cic/datasets/ids-2018.html. Accessed 1 Feb 2021

  13. Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. In: Proceedings of IEEE CS Security and Privacy Workshops, SPW 2013, pp. 98–104 (2013). https://doi.org/10.1109/SPW.2013.37

  14. Elsabagh, M., Barbara, D., Fleck, D., Stavrou, A.: Detecting ROP with statistical learning of program characteristics. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 219–226. ACM, New York, NY, USA (2017). https://doi.org/10.1145/3029806.3029812

  15. Li, X., Hu, Z., Fu, Y., Chen, P., Zhu, M., Liu, P.: ROPNN: detection of ROP payloads using deep neural networks (2018)

    Google Scholar 

  16. Snort - Network Intrusion Detection & Prevention System, https://www.snort.org/. Accessed 1 Feb 2021

  17. Suárez-Tangil, G., Dash, S.K., García-Teodoro, P., Camacho, J., Cavallaro, L.: Anomaly-based exploratory analysis and detection of exploits in android mediaserver. IET Inf. Secur. 12, 1 (2018). https://doi.org/10.1049/iet-ifs.2017.0460

    Article  Google Scholar 

  18. Desktop Operating System Market Share Worldwide|StatCounter Global Stats. https://gs.statcounter.com/os-market-share/desktop/worldwide. Accessed 5 Apr 2021

  19. PassMark CPU Benchmarks - AMD vs Intel Market Share. https://www.cpubenchmark.net/market_share.html. Accessed 5 Apr 2021

  20. Project Zero: About Project Zero. https://googleprojectzero.blogspot.com/p/about-project-zero.html. Accessed 6 Apr 2021

  21. Chen, Y., Lin, Z., Xing, X.: A systematic study of elastic objects in Kernel exploitation. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 1165–1184 (2020). https://doi.org/10.1145/3372297.3423353

  22. Introducing Kernel Data Protection, a new platform security technology for preventing data corruption - Microsoft Security. https://www.microsoft.com/security/blog/2020/07/08/introducing-kernel-data-protection-a-new-platform-security-technology-for-preventing-data-corruption/. Accessed 6 Apr 2021

  23. Intel® 64 and IA-32 Architectures Software Developer Manuals. https://software.intel.com/content/www/us/en/develop/articles/intel-sdm.html. Accessed 6 Apr 2021

Download references

Author information

Authors and Affiliations

  1. Deakin University, Geelong, Australia

    Ayman Youssef, Mohamed Abdelrazek, Chandan Karmakar & Zubair Baig

Authors
  1. Ayman Youssef
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohamed Abdelrazek
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chandan Karmakar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zubair Baig
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ayman Youssef .

Editor information

Editors and Affiliations

  1. Fudan University, Shanghai, China

    Min Yang

  2. James Cook University, Townsville, QLD, Australia

    Chao Chen

  3. Nanyang Technological University, Singapore, Singapore

    Yang Liu

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Youssef, A., Abdelrazek, M., Karmakar, C., Baig, Z. (2021). Tracing Software Exploitation. In: Yang, M., Chen, C., Liu, Y. (eds) Network and System Security. NSS 2021. Lecture Notes in Computer Science(), vol 13041. Springer, Cham. https://doi.org/10.1007/978-3-030-92708-0_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92708-0_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92707-3

  • Online ISBN: 978-3-030-92708-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation