Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2007: Recent Advances in Intrusion Detection pp 236–255Cite as

Advanced Allergy Attacks: Does a Corpus Really Help?

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4637))

Abstract

As research in automatic signature generators (ASGs) receives more attention, various attacks against these systems are being identified. One of these attacks is the “allergy attack” which induces the target ASG into generating harmful signatures to filter out normal traffic at the perimeter defense, resulting in a DoS against the protected network. It is tempting to attribute the success of allergy attacks to a failure in not checking the generated signatures against a corpus of known “normal” traffic, as suggested by some researchers. In this paper, we argue that the problem is more fundamental in nature; the alleged “solution” is not effective against allergy attacks as long as the normal traffic exhibits certain characteristics that are commonly found in reality. We have come up with two advanced allergy attacks that cannot be stopped by a corpus-based defense. We also propose a page-rank-based metric for quantifying the damage caused by an allergy attack. Both the analysis based on the proposed metric and our experiments with Polygraph and Hamsa show that the advanced attacks presented will block out 10% to 100% of HTTP requests to the three websites studied: CNN.com, Amazon.com and Google.com.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards Automatic Generation of Vulnerability-Based Signatures. In: Proceedings of The 2006 IEEE Symposium on Security and Privacy, Oakland, May 2006, IEEE Computer Society Press, Los Alamitos (2006)

    Google Scholar 

  2. Chung, S.P., Mok, A.K.: Allergy attack against automatic signature generation. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  3. Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: Proceedings of 20th ACM Symposium on Operating Systems Principles, Brighton, October 2005, ACM Press, New York (2005)

    Google Scholar 

  4. H. http://www.hitwise.com

  5. Kim, H., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium, California (August 2004)

    Google Scholar 

  6. Kreibich, C., Crowcroft, J.: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In: Proceedings of the Second Workshop on Hot Topics in Networks (Hotnets II), Boston (November 2003)

    Google Scholar 

  7. Krugel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, Springer, Heidelberg (2006)

    Google Scholar 

  8. Li, Z., Sanghi, M., Chen, Y., Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of The 2006 IEEE Symposium on Security and Privacy, Oakland, May 2006, IEEE Computer Society Press, Los Alamitos (2006)

    Google Scholar 

  9. Locasto, M.E., Wang, K., Keromytis, A.D., Stolfo, S.J.: Flips: Hybrid adaptive intrusion prevention. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  10. Miller, R.C., Bharat, K.: SPHINX: A Framework for Creating Personal, Site-Specific Web Crawlers. In: Proceedings of 7th World Wide Web Conference, Brisbane (April 1998)

    Google Scholar 

  11. Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of The 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2003), San Francisco, April 2003, IEEE Computer Society Press, Los Alamitos (2003)

    Google Scholar 

  12. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of The 2005 IEEE Symposium on Security and Privacy, Oakland, May 2005, IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  13. Newsome, J., Karp, B., Song, D.: Paragraph: Thwarting signature learning by training maliciously. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  14. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (February 2005)

    Google Scholar 

  15. Page, L., Brin, S., Motwani, R., Winograd, T.: The pagerank citation ranking: Bringing order to the web. Technical report, Stanford Digital Library Technologies Project (1998)

    Google Scholar 

  16. Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.: Misleading Worm Signature Generators Using Deliberate Noise Injection. In: Proceedings of The 2006 IEEE Symposium on Security and Privacy, Oakland, May 2006, IEEE Computer Society Press, Los Alamitos (2006)

    Google Scholar 

  17. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of 5th Symposium on Operating Systems Design and Implementation, California (December 2004)

    Google Scholar 

  18. Tancer, B.: Obama clinton chart updated with edwards (January 2007), http://www.hitwise.com/datacenter/industrysearchterms/all-categories.php

Download references

Author information

Authors and Affiliations

  1. Department of Computer Sciences, University of Texas at Austin, Austin TX 78712, USA

    Simon P. Chung & Aloysius K. Mok

Authors
  1. Simon P. Chung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aloysius K. Mok
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Christopher Kruegel Richard Lippmann Andrew Clark

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chung, S.P., Mok, A.K. (2007). Advanced Allergy Attacks: Does a Corpus Really Help?. In: Kruegel, C., Lippmann, R., Clark, A. (eds) Recent Advances in Intrusion Detection. RAID 2007. Lecture Notes in Computer Science, vol 4637. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74320-0_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-74320-0_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-74319-4

  • Online ISBN: 978-3-540-74320-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation