Skip to main content
SpringerLink
Log in

A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows

  • Conference paper
Book cover Recent Advances in Intrusion Detection (RAID 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3858))

Included in the following conference series:

Abstract

A common way by which attackers gain control of hosts is through remote exploits. A new dimension to the problem is added by worms which use exploit code to self-propagate, and are becoming a commonplace occurrence. Defense mechanisms exist but popular ones are signature-based techniques which use known byte patterns, and they can be thwarted using polymorphism, metamorphism and other obfuscations. In this paper, we argue that exploit code is characterized by more than just a byte pattern because, in addition, there is a definite control and data flow. We propose a fast static analysis based approach which is essentially a litmus test and operates by making a distinction between data, programs and program-like exploit code. We have implemented a prototype called styx and evaluated it against real data collected at our organizational network. Results show that it is able to detect a variety of exploit code and can also generate very specific signatures. Moreover, it shows initial promise against polymorphism and metamorphism.

This material is based upon work supported by the Air Force Research Laboratory – Rome Labs under Contract No. FA8750-04-C-0249.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. F-secure virus descriptions: Santy, http://www.fsecure.com/v-descs/santy_ashtml

  2. IA-32 Intel Architecture Software Developer’s Manual

    Google Scholar 

  3. Metasploit Project, http://www.metasploit.com/

  4. Slammer/Sapphire Code Disassembly, http://www.immunitysec.com/downloads/disassembly.txt

  5. The Twenty Most Critical Internet Security Vulnerabilities (Updated) The Experts Consensus, http://files.sans.org/top20.pdf

  6. VX heavens, http://vx.netlux.org

  7. Tool Interface Standard (TIS), Executable and Linking Format (ELF) Specification, Version 1.2 (1995)

    Google Scholar 

  8. Microsoft Portable Executable and Common Object File Format Specification, Revision 6.0 (1999), http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx

  9. Cifuentes, C., Gough, K.: Decompilation of Binary Programs. Software Practice & Experience 25(7), 811–829 (1995)

    Article  Google Scholar 

  10. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium (Security 2003), August 2003, pp. 169–186. USENIX Association (2003)

    Google Scholar 

  11. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium, Security 2003 (2003)

    Google Scholar 

  12. Cifuentes, C., Emmerik, M.V.: UQBT: Adaptable binary translation at low cost. Computer 33(3), 60–66 (2000)

    Article  Google Scholar 

  13. Cowan, C., Pu, C., Maier, D., Hinton, H., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: 7th USENIX Security Symposium, San Antonio, TX (January 1998)

    Google Scholar 

  14. Binkley, D.W., Gallagher, K.B.: Program Slicing. Advances in Computers 43, 1–50 (1996)

    Article  Google Scholar 

  15. Feng, H.H., Giffin, J.T., Huang, Y., Jha, S., Lee, W., Miller, B.P.: Formalizing sensitivity in static analysis for intrusion detection. In: IEEE Symposium on Security and Privacy, p. 194 (2004)

    Google Scholar 

  16. Hittel, S.: Detection of jump-based ids-evasive noop sleds using snort (May 2002), http://aris.securityfocus.com/rules/020527-Analysis-Jump-NOOP.pdf

  17. Horwitz, S., Prins, J., Reps, T.: Integrating noninterfering versions of programs. ACM Trans. Program. Lang. Syst. 11(3), 345–387 (1989)

    Article  Google Scholar 

  18. Jones, R., Kelly, P.: Bounds Checking for C, http://www-ala.doc.ic.ac.uk/phjk/BoundsChecking.html

  19. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: IEEE Symposium on Security and Privacy (May 2004)

    Google Scholar 

  20. Kamkar, M.: An overview and comparative classification of program slicing techniques. J. Syst. Softw. 31(3), 197–214 (1995)

    Article  Google Scholar 

  21. Kim, H.-A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium, Security 2004 (2004)

    Google Scholar 

  22. Kolesnikov, O., Dagon, D., Lee, W.: Advanced polymorphic worms: Evading ids by blending in with normal traffic. Technical Report GIT-CC-04-15, College of Computing, Georgia Institute of Technology (2004)

    Google Scholar 

  23. Krawetz, N.: The Honeynet files: Anti-honeypot technology. IEEE Security and Privacy 2(1), 76–79 (2004)

    Article  Google Scholar 

  24. Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of the 13th USENIX Security 2004, Security 2004 (2004)

    Google Scholar 

  25. Landi, W.: Undecidability of Static Analysis. ACM Letters on Programming Languages and Systems 1(4), 323–337 (1992)

    Article  Google Scholar 

  26. Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static analysis. In: 10th ACM Conference of Computer and Communications Security, CCS (2003)

    Google Scholar 

  27. LURHQ Threat Intelligence Group. Phatbot trojan analysis, http://www.lurhq.com/phatbot.html

  28. Weiser, M.: Program Slicing: Formal, Psychological and Practical Investigations of an Automatic Program Abstraction Method. PhD thesis, The University of Michigan, Ann Arbor, Michigan (1979)

    Google Scholar 

  29. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Security and Privacy 1(4), 33–39 (2003)

    Article  Google Scholar 

  30. Ottenstein, K.J., Ottenstein, L.M.: The program dependence graph in a software development environment. SIGPLAN Not. 19(5), 177–184 (1984)

    Article  Google Scholar 

  31. Pasupulati, A., Coit, J., Levitt, K., Wu, S., Li, S., Kuo, R., Fan, K.: Buttercup: On network-based detection of polymorphic buffer overflow vulnerabilities. In: 9th IEEE/IFIP Network Operation and Management Symposium (NOMS 2004), May 2004, Seoul, S. Korea (2004) (to appear)

    Google Scholar 

  32. Ramalingam, G.: The Undecidability of Aliasing. ACM Transactions on Programming Languages and Systems 16(5), 1467–1471 (1994)

    Article  Google Scholar 

  33. Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time (2002)

    Google Scholar 

  34. Tip, F.: A survey of program slicing techniques. Technical Report CS-R9438, CWI (Centre for Mathematics and Computer Science), Amsterdam, The Netherlands (1994)

    Google Scholar 

  35. Toth, T., Krügel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  36. Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: Proceedings of the 12th Usenix Security Symposium, Security 2003 (2003)

    Google Scholar 

  37. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: SP 2001: Proceedings of the IEEE Symposium on Security and Privacy, p. 156. IEEE Computer Society, Los Alamitos (2001)

    Chapter  Google Scholar 

  38. Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  39. Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: First ACM Workshop on Rapid Malcode, WORM (2003)

    Google Scholar 

  40. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: USENIX Security Symposium, pp. 29–44 (2004)

    Google Scholar 

  41. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: USENIX Security Symposium, pp. 29–44 (2004)

    Google Scholar 

  42. Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 190–199. ACM Press, New York (2003)

    Chapter  Google Scholar 

  43. Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on Computer and communications security, pp. 138–147. ACM Press, New York (2002)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University at Buffalo (SUNY), Buffalo, NY, 14260, USA

    Ramkumar Chinchani

  2. Applied Research, Telcordia Technologies, Piscataway, NJ, 08854, USA

    Eric van den Berg

Authors
  1. Ramkumar Chinchani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric van den Berg
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SRI International, 333 Ravenswood Ave., 94025, Menlo Park, CA, USA

    Alfonso Valdes

  2. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chinchani, R., van den Berg, E. (2006). A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_15

Download citation

  • DOI: https://doi.org/10.1007/11663812_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-31778-4

  • Online ISBN: 978-3-540-31779-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation