Archana Pasupulati, Jason Coit, K. Levitt, S. F. Wu, S. Li, J. Kuo, K. Fan
{"title":"Buttercup:基于网络的多态缓冲区溢出漏洞检测","authors":"Archana Pasupulati, Jason Coit, K. Levitt, S. F. Wu, S. Li, J. Kuo, K. Fan","doi":"10.1109/NOMS.2004.1317662","DOIUrl":null,"url":null,"abstract":"Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and faster Internet worms can be coded and launched easily by even high school students anytime against our critical infrastructures, such as DNS or update servers. We believe that polymorphic Internet worms will be developed in the future such that many of our current solutions might have a very small chance to survive. In this paper, we propose a simple solution called \"Buttercup\" to counter against attacks based on buffer-overflow exploits (such as CodeRed, Nimda, Slammer, and Blaster). We have implemented our idea in SNORT, and included 19 return address ranges of buffer-overflow exploits. With a suite of tests against 55 TCPdump traces, the false positive rate for our best algorithm is as low as 0.01%. This indicates that, potentially, Buttercup can drop 100% worm attack packets on the wire while only 0.01% of the good packets will be sacrificed.","PeriodicalId":260367,"journal":{"name":"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)","volume":"112 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2004-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"69","resultStr":"{\"title\":\"Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities\",\"authors\":\"Archana Pasupulati, Jason Coit, K. Levitt, S. F. Wu, S. Li, J. Kuo, K. Fan\",\"doi\":\"10.1109/NOMS.2004.1317662\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and faster Internet worms can be coded and launched easily by even high school students anytime against our critical infrastructures, such as DNS or update servers. We believe that polymorphic Internet worms will be developed in the future such that many of our current solutions might have a very small chance to survive. In this paper, we propose a simple solution called \\\"Buttercup\\\" to counter against attacks based on buffer-overflow exploits (such as CodeRed, Nimda, Slammer, and Blaster). We have implemented our idea in SNORT, and included 19 return address ranges of buffer-overflow exploits. With a suite of tests against 55 TCPdump traces, the false positive rate for our best algorithm is as low as 0.01%. This indicates that, potentially, Buttercup can drop 100% worm attack packets on the wire while only 0.01% of the good packets will be sacrificed.\",\"PeriodicalId\":260367,\"journal\":{\"name\":\"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)\",\"volume\":\"112 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2004-04-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"69\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NOMS.2004.1317662\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NOMS.2004.1317662","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities
Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and faster Internet worms can be coded and launched easily by even high school students anytime against our critical infrastructures, such as DNS or update servers. We believe that polymorphic Internet worms will be developed in the future such that many of our current solutions might have a very small chance to survive. In this paper, we propose a simple solution called "Buttercup" to counter against attacks based on buffer-overflow exploits (such as CodeRed, Nimda, Slammer, and Blaster). We have implemented our idea in SNORT, and included 19 return address ranges of buffer-overflow exploits. With a suite of tests against 55 TCPdump traces, the false positive rate for our best algorithm is as low as 0.01%. This indicates that, potentially, Buttercup can drop 100% worm attack packets on the wire while only 0.01% of the good packets will be sacrificed.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
