Abstract
As research in automatic signature generators (ASGs) receives more attention, various attacks against these systems are being identified. One of these attacks is the “allergy attack” which induces the target ASG into generating harmful signatures to filter out normal traffic at the perimeter defense, resulting in a DoS against the protected network. It is tempting to attribute the success of allergy attacks to a failure in not checking the generated signatures against a corpus of known “normal” traffic, as suggested by some researchers. In this paper, we argue that the problem is more fundamental in nature; the alleged “solution” is not effective against allergy attacks as long as the normal traffic exhibits certain characteristics that are commonly found in reality. We have come up with two advanced allergy attacks that cannot be stopped by a corpus-based defense. We also propose a page-rank-based metric for quantifying the damage caused by an allergy attack. Both the analysis based on the proposed metric and our experiments with Polygraph and Hamsa show that the advanced attacks presented will block out 10% to 100% of HTTP requests to the three websites studied: CNN.com, Amazon.com and Google.com.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards Automatic Generation of Vulnerability-Based Signatures. In: Proceedings of The 2006 IEEE Symposium on Security and Privacy, Oakland, May 2006, IEEE Computer Society Press, Los Alamitos (2006)
Chung, S.P., Mok, A.K.: Allergy attack against automatic signature generation. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, Springer, Heidelberg (2006)
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: Proceedings of 20th ACM Symposium on Operating Systems Principles, Brighton, October 2005, ACM Press, New York (2005)
Kim, H., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium, California (August 2004)
Kreibich, C., Crowcroft, J.: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In: Proceedings of the Second Workshop on Hot Topics in Networks (Hotnets II), Boston (November 2003)
Krugel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, Springer, Heidelberg (2006)
Li, Z., Sanghi, M., Chen, Y., Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of The 2006 IEEE Symposium on Security and Privacy, Oakland, May 2006, IEEE Computer Society Press, Los Alamitos (2006)
Locasto, M.E., Wang, K., Keromytis, A.D., Stolfo, S.J.: Flips: Hybrid adaptive intrusion prevention. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, Springer, Heidelberg (2006)
Miller, R.C., Bharat, K.: SPHINX: A Framework for Creating Personal, Site-Specific Web Crawlers. In: Proceedings of 7th World Wide Web Conference, Brisbane (April 1998)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of The 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2003), San Francisco, April 2003, IEEE Computer Society Press, Los Alamitos (2003)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of The 2005 IEEE Symposium on Security and Privacy, Oakland, May 2005, IEEE Computer Society Press, Los Alamitos (2005)
Newsome, J., Karp, B., Song, D.: Paragraph: Thwarting signature learning by training maliciously. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, Springer, Heidelberg (2006)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (February 2005)
Page, L., Brin, S., Motwani, R., Winograd, T.: The pagerank citation ranking: Bringing order to the web. Technical report, Stanford Digital Library Technologies Project (1998)
Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.: Misleading Worm Signature Generators Using Deliberate Noise Injection. In: Proceedings of The 2006 IEEE Symposium on Security and Privacy, Oakland, May 2006, IEEE Computer Society Press, Los Alamitos (2006)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of 5th Symposium on Operating Systems Design and Implementation, California (December 2004)
Tancer, B.: Obama clinton chart updated with edwards (January 2007), http://www.hitwise.com/datacenter/industrysearchterms/all-categories.php
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chung, S.P., Mok, A.K. (2007). Advanced Allergy Attacks: Does a Corpus Really Help?. In: Kruegel, C., Lippmann, R., Clark, A. (eds) Recent Advances in Intrusion Detection. RAID 2007. Lecture Notes in Computer Science, vol 4637. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74320-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-74320-0_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74319-4
Online ISBN: 978-3-540-74320-0
eBook Packages: Computer ScienceComputer Science (R0)