Abstract
Many critical infrastructures such as health care, crisis management and financial systems are part of the Internet and exposed to the rather hostile environment found there. At the same time it is recognized that traditional defensive mechanisms provide some protection, but has to be complemented with supervisory features, such as intrusion detection. Intrusion detection systems (IDS) monitor the network and the host computers for signs of intrusions and intrusion attempts. However, an IDS needs training data to learn how to discriminate between intrusion attempts and benign events. In order to properly train the detection system we need data containing attack manifestations. The provision of such manifestations may pose considerable problems and effort, especially since many attacks are not successful against a particular system version. This paper suggests a general model for how to implement an automatic tool that can be used for generation of successful attacks and finding the relevant manifestations with a limited amount of effort and time delay. Those manifestations can then promptly be used for setting up the IDS and countering the attack. To illustrate the concepts we provide an implementation example for an important attack type, the stack-smashing buffer overflow attack.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Larson, U., Lundin-Barse, E., Jonsson, E.: METAL - a tool for extracting attack manifestations. In: Proceedings of Detection of Intrusions and Malware & Vulnerability Assessment workshop (DIMVA), Vienna, Austria, July 7-8 (2005)
Barse, E.L., Jonsson, E.: Extracting attack manifestations to determine log data requirements for intrusion detection. In: Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC 2004, Tucson, Arizona, USA. IEEE Computer Society, Los Alamitos (2004)
The metasploit framework (September 2006), http://www.metasploit.com
Bidiblah - security assessment power tools (September 2006), http://www.sensepost.com/research/bidiblah/
The nessus vulnerability scanner (September 2006), http://www.nessus.org/documentation/index.php
Nmap security scanner (September 2006), http://insecure.org/nmap
Kayacik, H.G., Heywood, M., Zincir-Heywood, N.: On evolving buffer overflow attacks using genetic programming. In: GECCO 2006 (July 2006)
Vigna, G., Robertson, W., Balzarotti, D.: Testing network based intrusion detection signatures using mutant exploits. In: ACM Conference on Computer Security (2004)
Puketza, N.J., Zhang, K., Chung, M., Mukherjee, B., Olsson, R.A.: A methodology for testing intrusion detection systems. In: 17th National Computer Security Conference, Baltimore, MD (1994)
Foster, J.C., Williams, A.: Sockets, Shellcode, Porting and Coding. In: Syngress, ch. 12 (March 2005)
Aleph One. Smashing the stack for fun and profit (1996), http://www.theparticle.com/files/txt/hacking/phrack/p49.txt
Nilsson, D.K., Larson, U., Jonsson, E.: A general model and guidelines for attack manifestation generation. Technical Report TR-2007:8, Department of Computer Science and Engineering, Chalmers University of Technology (2007)
Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: Ninth ACM Conference on Computer and Communications Security (2002)
Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (2002)
Cowan, C., et al.: Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium (January 1998)
Etoh, H.: GCC extension for protecting applications from stack-smashing attacks (ProPolice) (2003)
Richarte, G.: Four different tricks to bypass stackshield and stackguard protection. Technical Report NIST IR 7007, NIST (2002)
shellcode.org (June 2006), http://www.shellcode.org
Kelley, A., Pohl, I.: A Book on C, 4th edn., December 1997. Addisson-Wesley Professional (1997)
Erickson, J.: Hacking, the art of exploitation. No Starch Press, Inc. (2003)
Burebista. Remote automatic exploitation of stack overflows (2003), http://www.infosecwriters.com/text_resources/pdf/remote_overflows.pdf
contex. Exploiting x86 stack based buffer overflows (2006), http://www.milw0rm.com/papers/34
xgc/dx A.K.A T. Silva. Introduction to local stack overflow (2005), http://www.milw0rm.com/papers/4
Preddy. Buffer overflow tutorial (2006), http://www.milw0rm.com/papers/73
Address space layout randomization (Latest visited, July 2007), http://en.wikipedia.org/wiki/Address_space_layout_randomization
Denial-of-service attack (Latest visited July 2007), http://en.wikipedia.org/wiki/Denial-of-service_attack
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Larson, U.E., Nilsson, D.K., Jonsson, E. (2008). A General Model and Guidelines for Attack Manifestation Generation. In: Lopez, J., Hämmerli, B.M. (eds) Critical Information Infrastructures Security. CRITIS 2007. Lecture Notes in Computer Science, vol 5141. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89173-4_23
Download citation
DOI: https://doi.org/10.1007/978-3-540-89173-4_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89095-9
Online ISBN: 978-3-540-89173-4
eBook Packages: Computer ScienceComputer Science (R0)