Skip to main content
Springer Nature Link
Log in

Radmin: Early Detection of Application-Level Resource Exhaustion and Starvation Attacks

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9404))

Included in the following conference series:

  • 3098 Accesses

Abstract

Software systems are often engineered and tested for functionality under normal rather than worst-case conditions. This makes the systems vulnerable to denial of service attacks, where attackers engineer conditions that result in overconsumption of resources or starvation and stalling of execution. While the security community is well familiar with volumetric resource exhaustion attacks at the network and transport layers, application-specific attacks pose a challenging threat. In this paper, we present Radmin, a novel system for early detection of application-level resource exhaustion and starvation attacks. Radmin works directly on compiled binaries. It learns and executes multiple probabilistic finite automata from benign runs of target programs. Radmin confines the resource usage of target programs to the learned automata, and detects resource usage anomalies at their early stages. We demonstrate the effectiveness of Radmin by testing it over a variety of resource exhaustion and starvation weaknesses on commodity off-the-shelf software.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Unless stated otherwise, we use “measurements” and “sequences” interchangeably in the rest of this paper.

  2. 2.

    Source code available under GPLv3 at: https://github.com/melsabagh/radmin.

  3. 3.

    Unless stated otherwise, we use “task” to indistinguishably refer to child processes and threads spawned by a monitored program.

  4. 4.

    For details and code samples, please refer to the CWE project at http://cwe.mitre.org.

References

  1. Myths of DDoS attacks. http://blog.radware.com/security/2012/02/4-massive-myths-of-ddos/

  2. Availability overrides security concerns. http://www.hrfuture.net/performance-and-productivity/availability-over-rides-cloud-security-concerns.php?Itemid=169

  3. CWE-400: Uncontrolled resource consumption. http://cwe.mitre.org/data/definitions/400.html

  4. Dyninst API. http://www.dyninst.org/dyninst

  5. Mobile users favor productivity over security. http://www.infoworld.com/article/2686762/security/mobile-users-favor-productivity-over-security-as-they-should.html

  6. Pthread livelock. http://www.paulbridger.com/livelock/

  7. Sqlite livelock. http://www.mail-archive.com/sqlite-users@sqlite.org/msg54618.html

  8. Systemtap. https://sourceware.org/systemtap/

  9. Unixbench. https://github.com/kdlucas/byte-unixbench

  10. Vectorized implementation of k-means++. https://github.com/michaelchughes/KMeansRex

  11. Aiello, W., Bellovin, S.M., Blaze, M., Ioannidis, J., Reingold, O., Canetti, R., Keromytis, A.D.: Efficient, DoS-resistant, Secure Key Exchange for Internet Protocols. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 48–58. CCS 2002. ACM, New York (2002)

    Google Scholar 

  12. Antunes, J., Neves, N.F., Veríssimo, P.J.: Detection and prediction of resource-exhaustion vulnerabilities. In: ISSRE 2008, 19th International Symposium on Software Reliability Engineering, 2008, pp. 87–96. IEEE (2008)

    Google Scholar 

  13. Arthur, D., Vassilvitskii, S.: k-means++: The advantages of careful seeding. In: Proceedings of the Eighteenth annual ACM-SIAM Symposium on Discrete Algorithms, pp. 1027–1035. Society for Industrial and Applied Mathematics (2007)

    Google Scholar 

  14. Bejerano, G., Yona, G.: Variations on probabilistic suffix trees: statistical modeling and prediction of protein families. Bioinformatics 17(1), 23–43 (2001)

    Article  Google Scholar 

  15. Carlini, N., Wagner, D.: Rop is still dangerous: Breaking modern defenses. In: USENIX Security Symposium (2014)

    Google Scholar 

  16. Chang, R.M., Jiang, G., Ivancic, F., Sankaranarayanan, S., Shmatikov, V.: Inputs of coma: Static detection of denial-of-service vulnerabilities. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, Port Jefferson, New York, USA, July 8–10, 2009, pp. 186–199. IEEE Computer Society (2009)

    Google Scholar 

  17. Chee, W.O., Brennan, T.: Layer-7 DDoS (2010)

    Google Scholar 

  18. Crosby, S., Wallach, D.: Algorithmic DoS. In: Encyclopedia of Cryptography and Security, pp. 32–33. Springer (2011)

    Google Scholar 

  19. Dekel, O., Shalev-Shwartz, S., Singer, Y.: The power of selective memory: self-bounded learning of prediction suffix trees. In: Advances in Neural Information Processing Systems, pp. 345–352 (2004)

    Google Scholar 

  20. Desnoyers, M.: Using the linux kernel tracepoints. https://www.kernel.org/doc/Documentation/trace/tracepoints.txt

  21. Fu, S.: Performance metric selection for autonomic anomaly detection on cloud computing systems. In: Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE, pp. 1–5. IEEE (2011)

    Google Scholar 

  22. Ganai, M.K.: Dynamic livelock analysis of multi-threaded programs. In: Qadeer, S., Tasiran, S. (eds.) RV 2012. LNCS, vol. 7687, pp. 3–18. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  23. Groza, B., Minea, M.: Formal modelling and automatic detection of resource exhaustion attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 326–333. ACM (2011)

    Google Scholar 

  24. Gulavani, B.S., Gulwani, S.: A numerical abstract domain based on expression abstraction and max operator with application in timing analysis. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 370–384. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  25. Kayacik, H.G., et al.: Mimicry attacks demystified: What can attackers do to evade detection? In: Sixth Annual Conference on Privacy, Security and Trust, PST 2008, pp. 213–223. IEEE (2008)

    Google Scholar 

  26. Kostadinov, D.: Layer-7 DDoS attacks: detection and mitigation - infosec institute (2013). http://resources.infosecinstitute.com/layer-7-ddos-attacks-detection-mitigation/

  27. Lin, Y., Kulkarni, S.S.: Automatic repair for multi-threaded programs with deadlock/livelock using maximum satisfiability. In: Proceedings of the 2014 International Symposium on Software Testing and Analysis, pp. 237–247. ACM (2014)

    Google Scholar 

  28. Mazeroff, G., Gregor, J., Thomason, M., Ford, R.: Probabilistic suffix models for API sequence analysis of Windows XP applications. Pattern Recogn. 41(1), 90–101 (2008)

    Article  MATH  Google Scholar 

  29. Parampalli, C., Sekar, R., Johnson, R.: A practical mimicry attack against powerful system-call monitors. In: Proceedings of the 2008 ACM symposium on Information, computer and communications security, pp. 156–167. ACM (2008)

    Google Scholar 

  30. Ron, D., Singer, Y., Tishby, N.: The power of amnesia: learning probabilistic automata with variable memory length. Mach. Learn. 25(2–3), 117–149 (1996)

    Article  MATH  Google Scholar 

  31. Rutar, N., Hollingsworth, J.: Data centric techniques for mapping performance measurements. In: 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum (IPDPSW), pp. 1274–1281, May 2011

    Google Scholar 

  32. Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  33. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings 2001 IEEE Symposium on Security and Privacy, 2001, S&P 2001, pp. 144–155. IEEE (2001)

    Google Scholar 

  34. Sekar, R., Venkatakrishnan, V., Basu, S., Bhatkar, S., DuVarney, D.C.: Model-carrying code: a practical approach for safe execution of untrusted applications. ACM SIGOPS Operating Syst. Rev. 37(5), 15–28 (2003)

    Article  Google Scholar 

  35. Sidiroglou, S., Laadan, O., Perez, C., Viennot, N., Nieh, J., Keromytis, A.D.: Assure: automatic software self-healing using rescue points. ACM SIGARCH Comput. Archit. News 37(1), 37–48 (2009)

    Article  Google Scholar 

  36. Uh, G.R., Cohn, R., Yadavalli, B., Peri, R., Ayyagari, R.: Analyzing dynamic binary instrumentation overhead. In: Workshop on Binary Instrumentation and Application (2007)

    Google Scholar 

  37. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutorials 15(4), 2046–2069 (2013)

    Article  Google Scholar 

  38. Zheng, L., Myers, A.C.: End-to-end availability policies and noninterference. In: 18th IEEE Workshop Computer Security Foundations, CSFW-18 2005, pp. 272–286. IEEE (2005)

    Google Scholar 

  39. Zinke, J.: System call tracing overhead. In: The International Linux System Technology Conference (Linux Kongress) (2009)

    Google Scholar 

Download references

Acknowledgements

We thank Konstantinos Kolias, the anonymous reviewers, and our shepherd Andrei Sabelfeld for their insightful comments and suggestions. We thank Sharath Hiremagalore for technical assistance. This work is supported by the National Science Foundation Grant No. CNS 1421747 and II-NEW 1205453. Opinions, findings, conclusions, and recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF or the US Government.

Author information

Authors and Affiliations

  1. George Mason University, Fairfax, USA

    Mohamed Elsabagh, Daniel Barbará, Dan Fleck & Angelos Stavrou

Authors
  1. Mohamed Elsabagh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Barbará
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dan Fleck
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Angelos Stavrou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohamed Elsabagh .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, Noord-Holland, The Netherlands

    Herbert Bos

  2. University of North Carolina at Chapel H, Chapel-Hill, USA

    Fabian Monrose

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Appendices

A PST Hyperparameters Grid

See Table 5.

Table 5. Hyperparameter values used in training the PSTs.
Full size table

B Starvation and Livelock Snippets

figure b

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Elsabagh, M., Barbará, D., Fleck, D., Stavrou, A. (2015). Radmin: Early Detection of Application-Level Resource Exhaustion and Starvation Attacks. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26362-5_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics