Skip to main content
SpringerLink
Log in

Accurate and efficient exploit capture and classification

快速准确的Exploit自动捕获与分类方法和系统

  • Research Paper
  • Published:
Science China Information Sciences Aims and scope Submit manuscript

Abstract

Software exploits, especially zero-day exploits, are major security threats. Every day, security experts discover and collect numerous exploits from honeypots, malware forensics, and underground channels. However, no easy methods exist to classify these exploits into meaningful categories and to accelerate diagnosis as well as detailed analysis. To address this need, we present SeismoMeter, which recognizes both control-flowhijacking, and data-only attacks by combining approximate control-flow integrity, fast dynamic taint analysis and API sandboxing schemes. Once it detects an exploit incident, SeismoMeter generates a succinct data representation, called an exploit skeleton, to characterize the captured exploit. SeismoMeter then classifies the captured exploits into different exploit families by performing distance computing on the extracted skeletons. To evaluate the efficiency of SeismoMeter, we conduct a field test using exploit samples from public exploit databases, such as Metasploit, as well as wild-captured exploits. Our experiments demonstrate that SeismoMeter is a practical system that successfully detects and correctly classifies all these exploit attacks.

创新点

Exploit(特别是0day Exploit)已经成为计算机安全最严重的威胁之一。当下,安全研究人员每天都在面对从蜜罐系统、取证系统以及地下市场中搜集来的大量的Exploit。然而缺乏一个快速有效的方法来分析这些搜集来的Exploit。我们实现了SeismoMeter,能够识别劫持控制流的Exploit攻击。同时我们结合了污点分析以及API沙盒来进一步提升攻击识别准确率。在检测到Exploit攻击时,SeismoMeter根据攻击对捕获到的Exploit 建立Exploit Skeleton。 然后根据这些建立起来的Exploit Skeleton对Exploit 进行分类。我们使用通用的渗透测试平台Metasploit等对SeismoMeter进行了测试,同时我们还用野外捕获的Exploit进行测试。实验结果证明SeismoMeter能够快速并且正确的检测Exploit攻击同时分类Exploit。

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Portokalidis G, Slowinska A, Bos H. Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. In: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems. New York: ACM, 2006. 15–27

    Google Scholar 

  2. Bailey M, Cooke E, Watson D, et al. A hybrid honeypot architecture for scalable network monitoring. University of Michigan Technical Report CSE-TR-499-04. 2006

    Google Scholar 

  3. Kreibich C, Crowcroft J. Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Comput Commun Rev, 2004, 34: 51–56

    Article  Google Scholar 

  4. Spitzner L. Honeypots: concepts, approaches, and challenges. In: Proceedings of the 45th Annual Southeast Regional Conference. New York: ACM, 2007. 321–326

    Google Scholar 

  5. Diebold P, Hess A, Schäfer G. A honeypot architecture for detecting and analyzing unknown network attacks. In: Proceedings of Kommunikation in Verteilten Systemen (KiVS). Berlin: Springer, 2005. 245–255

    Chapter  Google Scholar 

  6. Nazario J. Phoney C: a virtual client honeypot. In: Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More. Berkeley: USENIX Association, 2009. 6

    Google Scholar 

  7. Cole E. Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Massachusetts: Syngress, 2012. 18–25

    Google Scholar 

  8. Cowan C, Pu C, Maier D, et al. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th Conference on USENIX Security Symposium. Berkeley: USENIX Association, 1998. 346–335

    Google Scholar 

  9. Microsoft Corp. Data Execution Prevention. Microsoft Knowledge Base KB875352. 2013

  10. PaX Team. PaX Address Space Layout Randomization (ASLR). Pax Team Report. 2003

  11. Crandall J, Su Z D. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005. 235–248

    Google Scholar 

  12. Li Z, Sanghi M, Chen Y, et al. Network-based and attack-resillient lenght signature generator for zero-day polymorphic worms. In: Proceedings of the 15th IEEE International Conference on Network Protocols. Calfornia: IEEE Computer Society, 2007. 164–173

    Google Scholar 

  13. Joshi A, King S, Dunlap G, et al. Detecting Past and Present Intrusions Through Vulnerability-specific Predicates. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles. New York: ACM, 2005. 91–104

    Google Scholar 

  14. Zhang M W, Prakash A, Li X L, et al. Identifying and analyzing pointer misuses for sophisticated memory-corruption exploit diagnosis. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium. Virginia: Internet Society, 2012

    Google Scholar 

  15. Dacier M, Leita C, Thonnard O, et al. Cyber Situational Awareness. Berlin: Springer, 2010. 130–136

    Google Scholar 

  16. Fogla P, Sharif M, Perdisci R, et al. Polymorphic blending attacks. In: Proceedings of the 15th USENIX Security Symposium. Berkeley: USENIX Association, 2006. 241–256

    Google Scholar 

  17. Gundy M, Balzarotti D, Vigna G. Catch me if you can: evading network signatures with web-based polymorphic worms. In: Proceedings of the 1st USENIX Workshop on Offesive Technologies. Berkeley: USENIX Association, 2007. 7

    Google Scholar 

  18. Bania P. Evading network-level emulation. Computing Research Repository, 2007. abs/0906.1

    Google Scholar 

  19. Szekeres L, Payer M, Wei T, et al. Sok: eternal war in memory. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2013. 48–62

    Chapter  Google Scholar 

  20. Chen S, Xu J, Sezer E, et al. Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium. Berkeley: USENIX Association, 2005. 12–24

    Google Scholar 

  21. Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005. 340–353

    Google Scholar 

  22. Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 31st IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2010. 317–337

    Google Scholar 

  23. Symantec Corporation. Internet security threat report. Symantec Corporation Technical Report. 2012

  24. Dunlap G, King S, Cinar S, et al. ReVirt: enabling intrusion analysis through virtual-machine logging and replay. In: Proceedings of Symposium on Operating Systems Design and Implementation. New York: ACM, 2002. 211–224

    Chapter  Google Scholar 

  25. Xu M, Malyguin V, Sheldon J, et al. Retrace: collecting execution trace with virtual machine deterministic replay. In: Proceedings of the 3rd Annual Workshop on Modeling, Benchmarking and Simulation. New York: ACM, 2007. 4–24

    Google Scholar 

  26. Shacham H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM, 2007. 552–561

    Google Scholar 

  27. Agrawal H, Horgan J, Krauser E, et al. Incremental regression testing. In: Proceedings of the Conference on Software Maintenance. Washington DC: IEEE Computer Society, 1993. 348–357

    Google Scholar 

  28. Dinaburg A, Royal P, Sharif M, et al. Ether: malware analysis via hardware virtualization extensions. In: Proceedings of 15th ACM Conference on Computer and Communications Security. New York: ACM, 2008. 51–62

    Chapter  Google Scholar 

  29. Luk C, Cohn R, Muth R, et al. Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM, 2005. 190–200

    Chapter  Google Scholar 

  30. Kemerlis V, Portokalidis G, Jee K, et al. libdft: practical dynamic data flow tracking for commodity systems. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments. New York: ACM, 2012. 121–132

    Chapter  Google Scholar 

  31. Blazakis D. Interpreter exploitation. In: Proceedings of the 4th USENIX Conference on Offensive Technologies. Berkeley: USENIX Association, 2010. 1–9

    Google Scholar 

  32. Wei T, Mao J, Zou W, et al. A new algorithm for identifying loops in decompilation, In: Proceedings of the 14th International Conference on Static Analysis. Berlin/Heidelberg: Springer-Verlag, 2007. 170–183

    Google Scholar 

  33. Levenshtein V. Binary codes capable of correcting deletions, insertions and reversals. Sov Phys Dokl, 1966, 10: 707–710

    MathSciNet  MATH  Google Scholar 

  34. Chen K Z J, Gu G F, Zhuge J W, et al. WebPatrol: automated collection and replay of web-based malware scenarios. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2011. 186–195

    Google Scholar 

  35. Yu Y. DEP/ASLR bypass without ROP/JIT. 13th Annual CanSecWest Conference Report. 2013

  36. Clause J, Li WC, Orso A. Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis. New York: ACM, 2007. 196–206

    Google Scholar 

  37. Tucek J, Newsome J, Lu S, et al. Sweeper: a lightweight end-to-end system for defending against fast worms. In: Proceedings of ACM SIGOPS/EuroSys European Conference on Computer Systems. New York: ACM, 2007. 115–128

    Google Scholar 

  38. Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity principles, implementations, and applications. ACM Trans Inform Syst Secur, 2009, 13: 1–40

    Article  Google Scholar 

  39. Yee B, Sehr D, Dardyk G. Native client: a sandbox for portable, untrusted x86 native code. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2009. 79–93

    Chapter  Google Scholar 

  40. Erlingsson U, Valley S, Abadi M, et al. XFI: software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Berkeley: USENIX Association, 2006. 75–88

    Google Scholar 

  41. Castro M, Costa M, Martin J, et al. Fast byte-granularity software fault isolation, In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. New York: ACM, 2009. 45–58

    Chapter  Google Scholar 

  42. Wang Z, Jiang X X. HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 31st IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2010. 380–395

    Chapter  Google Scholar 

  43. Lattner C, Adve V. LLVM: a compilation framework for lifelong program analysis & transformation. In: Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization. Washington DC: IEEE Computer Society, 2004. 75–86

    Google Scholar 

  44. Bletsch T, Jiang X X, Freeh V. Mitigating code-reuse attacks with control-flow locking. In: Proceedings of the 27th Annual Computer Security Applications Conference. New York: ACM, 2011. 353–362

    Google Scholar 

  45. Wang L J, Li Z C, Chen Y, et al. Thwarting zero-day polymorphic worms with network-level length-based signature generation. Trans Netw, 2010, 18: 53–66

    Article  MathSciNet  Google Scholar 

  46. Wang H J, Guo C X, Simon D R, et al. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In: Proceedings of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. New York: ACM, 2004. 193–204

    Google Scholar 

  47. Mason J, Small S, Monrose F, et al. English shellcode. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. New York: ACM, 2009. 524–533

    Google Scholar 

  48. Wang R W, Ning P, Xie T, et al. Metasymploit: day-one defense against script-based attacks with security-enhanced symbolic analysis. In: Proceedings of the 22nd USENIX Conference on Security. Berkeley: USENIX Association, 2013. 65–80

    Google Scholar 

  49. Newsome J, Brumley D, Song D. Vulnerability-specific execution filtering for exploit prevention on commodity software. In: Proceedings of the 13th Symposium on Network and Distributed System Security. Virginia: Internet Society, 2005

    Google Scholar 

  50. Newsome J, Brumley D, Song D. Towards automatic generation of vulnerability-based signatures. In: Proceedings of the 27th IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2006. 2–16

    Google Scholar 

  51. Newsome J. Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy. Washington DC: IEEE Computer Society, 2005. 226–241

    Chapter  Google Scholar 

  52. Liang Z K, Sekar R. Automatic generation of buffer overflow attack signatures: an approach based on program behavior models. In: Proceedings of the 21st Annual Computer Security Applications Conference. Washington DC: IEEE Computer Society, 2005. 215–224

    Google Scholar 

  53. Liang Z K, Sekar R. Fast and automated generation of attack signatures: a basis for building self-protecting servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005. 213–222

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Computer Science and Technology, Peking University, Beijing, 100080, China

    Yu Ding & Xinhui Han

  2. Eletrical Engineering and Computer Sciences, UC Berkeley, Berkeley, CA, 94720, USA

    Tao Wei, Hui Xue, Yulong Zhang & Chao Zhang

Authors
  1. Yu Ding
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tao Wei
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hui Xue
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yulong Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Chao Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Xinhui Han
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xinhui Han.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ding, Y., Wei, T., Xue, H. et al. Accurate and efficient exploit capture and classification. Sci. China Inf. Sci. 60, 052110 (2017). https://doi.org/10.1007/s11432-016-5521-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11432-016-5521-0

Keywords

关键词

Search

Navigation