Generation of IDS Signatures through Exhaustive Execution Path Exploration in PoC Codes for Vulnerabilities

Abstract

There have been many vulnerabilities, and we need prompt countermeasures. One factor that makes more rapid measures necessary is Proof of Concept (PoC) codes. Although they are released to promote vulnerability countermeasures, attackers can also abuse them. In this paper, we analyze PoC codes that send HTTP requests, then generate IDS signatures. To analyze codes, there are two policies: dynamic analysis and static analysis. However, the former cannot cover the execution paths, and the latter cannot analyze dynamically determined values. In addition, symbolic execution compensates for their shortcomings, but its implementation cost is high. We propose a signature generation method for PoC codes that send HTTP requests based on an analysis combining dynamic and static analysis. We first statically explore execution paths of the code by searching for the conditional branch syntax using the abstract syntax tree. Then, we rewrite the branch conditions to enforce the specific execution path and generate a new code corresponding to each path. Finally, we execute each code, generate the attack requests dynamically, and extract signatures. The average detection rate for the requests was 86.9%. Moreover, we tested the signatures for 30 codes by actually executing them, and for nine codes, we detected the attack.