01-09-2012, 05:05 PM
BUFFER OVERFLOW ATTACK BLOCKER USING SIGFREE CONCEPT
BUFFER OVERFLOW.pdf (Size: 1.25 MB / Downloads: 58)
Abstract
SigFree - online signature-free out-of-the-box application-layer method for blocking code-injection buffer overflow attack messages targeting at various Internet services such as web service. Motivated by the observation that buffer overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services, SigFree blocks attacks by detecting the presence of code. SigFree is signature free, thus it can block new and unknown buffer overflow attacks. SigFree is also immunized from most attack-side code obfuscation methods. We focus on buffer overflow attacks whose payloads contain executable code in machine language, and we assume normal requests do not contain executable machine code. We shows that the dependency-degree-based SigFree could block all types of code-injection attack packets tested in our experiments with very few false positives.
INTRODUCTION
The history of cyber security, buffer over-flow is one of the most serious vulnerabilities in computer systems. Buffer overflow vulnerability is a root cause for most of the cyber attacks such as server breaking-in, worms, zombies, and botnets. A buffer overflow occurs during program execution when a fixed-size buffer has had too much data copied into it. This causes the data to overwrite into adjacent memory locations, and depending on what is stored there, the behavior of the program itself might be affected. Although taking a broader viewpoint, buffer overflow attacks do not always carry binary code in the attacking requests (or packets),code-injection buffer overflow attacks such as stack smashing probably count for most of the buffer overflow attacks that have happened in the real world.
WORM DETECTION AND SIGNATURE GENERATION
Because buffer overflow is a key target of worms when they propagate from one host to another, SigFree is related to worm detection. Based on the nature of worm infection symptoms, worm detection techniques can be broken down into three classes: [Class 2A] techniques use such macro symptoms as Internet background radiation (observed by network telescopes) to raise early warnings of Internet-wide worm infection [3]. [Class 2B] techniques use such local traffic symptoms as content invariance, content prevalence, and address dispersion to generate worm signatures and/or block worms. Some examples of Class 2B techniques are Earlybird [9], Autograph [10], Polygraph [11], Hamsa [4], and Packet Vaccine [5]. [Class 2C] techniques use worm code running symptoms to detect worms. It is not surprising that Class 2C techniques are exactly Class 1F techniques. Some examples of Class 2C techniques are Shield [36], Vigilante [6], and COVERS [7]. [Class 2D] techniques use anomaly detection on packet payload to detect worms and generate signature. Wang and Stolfo [7], [8] first proposed Class 2D techniques called PAYL. PAYL is first trained with normal network flow traffic and then uses some byte-level statistical measures to detect exploit code.
CONCLUSION
We have proposed SigFree, an online signature-free out-of
box blocker that can filter code-injection buffer overflow
attack messages, one of the most serious cyber security
threats. SigFree does not require any signatures, thus it can
block new unknown attacks. SigFree is immunized from
most attack-side code obfuscation methods and good for
economical Internet-wide deployment with little maintenance cost.