Automatic generation of buffer overflow attack signatures: An approach based on program behavior models

Zhenkai Liang; R. Sekar

doi:10.1109/CSAC.2005.12

Automatic generation of buffer overflow attack signatures: An approach based on program behavior models

Zhenkai Liang
, R. Sekar

Computer Science

Stony Brook University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

36 Scopus citations

Abstract

Buffer overflows have become the most common target for network-based attacks. They are also the primary mechanism used by worms and other forms of automated attacks. Although many techniques have been developed to prevent server compromises due to buffer overflows, these defenses still lead to server crashes. When attacks occur repeatedly, as is common with automated attacks, these protection mechanisms lead to repeated restarts of the victim application, rendering its service unavailable. To overcome this problem, we develop a new approach that can learn the characteristics of a particular attack, and filter out future instances of the same attack or its variants. By doing so, our approach significantly increases the availability of servers subjected to repeated attacks. The approach is fully automatic, does not require source code, and has low run-time overheads. In our experiments, it was effective against most attacks, and did not produce any false positives.

Original language	English
Title of host publication	Proceedings - 21st Annual Computer Security Applications Conference, ACSAC 2005
Pages	215-224
Number of pages	10
DOIs	https://doi.org/10.1109/CSAC.2005.12
State	Published - 2005
Event	21st Annual Computer Security Applications Conference, ACSAC 2005 - Tucson, AZ, United States Duration: Dec 5 2005 → Dec 9 2005

Publication series

Name	Proceedings - Annual Computer Security Applications Conference, ACSAC
Volume	2005
ISSN (Print)	1063-9527

Conference

Conference	21st Annual Computer Security Applications Conference, ACSAC 2005
Country/Territory	United States
City	Tucson, AZ
Period	12/5/05 → 12/9/05

Access to Document

10.1109/CSAC.2005.12

Cite this

Liang, Z., & Sekar, R. (2005). Automatic generation of buffer overflow attack signatures: An approach based on program behavior models. In Proceedings - 21st Annual Computer Security Applications Conference, ACSAC 2005 (pp. 215-224). Article 1565249 (Proceedings - Annual Computer Security Applications Conference, ACSAC; Vol. 2005). https://doi.org/10.1109/CSAC.2005.12

@inproceedings{56dd61c113e843328b575f34f04a8833,

title = "Automatic generation of buffer overflow attack signatures: An approach based on program behavior models",

abstract = "Buffer overflows have become the most common target for network-based attacks. They are also the primary mechanism used by worms and other forms of automated attacks. Although many techniques have been developed to prevent server compromises due to buffer overflows, these defenses still lead to server crashes. When attacks occur repeatedly, as is common with automated attacks, these protection mechanisms lead to repeated restarts of the victim application, rendering its service unavailable. To overcome this problem, we develop a new approach that can learn the characteristics of a particular attack, and filter out future instances of the same attack or its variants. By doing so, our approach significantly increases the availability of servers subjected to repeated attacks. The approach is fully automatic, does not require source code, and has low run-time overheads. In our experiments, it was effective against most attacks, and did not produce any false positives.",

author = "Zhenkai Liang and R. Sekar",

year = "2005",

doi = "10.1109/CSAC.2005.12",

language = "English",

isbn = "0769524613",

series = "Proceedings - Annual Computer Security Applications Conference, ACSAC",

pages = "215--224",

booktitle = "Proceedings - 21st Annual Computer Security Applications Conference, ACSAC 2005",

note = "21st Annual Computer Security Applications Conference, ACSAC 2005 ; Conference date: 05-12-2005 Through 09-12-2005",

}

Liang, Z & Sekar, R 2005, Automatic generation of buffer overflow attack signatures: An approach based on program behavior models. in Proceedings - 21st Annual Computer Security Applications Conference, ACSAC 2005., 1565249, Proceedings - Annual Computer Security Applications Conference, ACSAC, vol. 2005, pp. 215-224, 21st Annual Computer Security Applications Conference, ACSAC 2005, Tucson, AZ, United States, 12/5/05. https://doi.org/10.1109/CSAC.2005.12

Automatic generation of buffer overflow attack signatures: An approach based on program behavior models. / Liang, Zhenkai; Sekar, R.
Proceedings - 21st Annual Computer Security Applications Conference, ACSAC 2005. 2005. p. 215-224 1565249 (Proceedings - Annual Computer Security Applications Conference, ACSAC; Vol. 2005).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Automatic generation of buffer overflow attack signatures

T2 - 21st Annual Computer Security Applications Conference, ACSAC 2005

AU - Liang, Zhenkai

AU - Sekar, R.

PY - 2005

Y1 - 2005

N2 - Buffer overflows have become the most common target for network-based attacks. They are also the primary mechanism used by worms and other forms of automated attacks. Although many techniques have been developed to prevent server compromises due to buffer overflows, these defenses still lead to server crashes. When attacks occur repeatedly, as is common with automated attacks, these protection mechanisms lead to repeated restarts of the victim application, rendering its service unavailable. To overcome this problem, we develop a new approach that can learn the characteristics of a particular attack, and filter out future instances of the same attack or its variants. By doing so, our approach significantly increases the availability of servers subjected to repeated attacks. The approach is fully automatic, does not require source code, and has low run-time overheads. In our experiments, it was effective against most attacks, and did not produce any false positives.

AB - Buffer overflows have become the most common target for network-based attacks. They are also the primary mechanism used by worms and other forms of automated attacks. Although many techniques have been developed to prevent server compromises due to buffer overflows, these defenses still lead to server crashes. When attacks occur repeatedly, as is common with automated attacks, these protection mechanisms lead to repeated restarts of the victim application, rendering its service unavailable. To overcome this problem, we develop a new approach that can learn the characteristics of a particular attack, and filter out future instances of the same attack or its variants. By doing so, our approach significantly increases the availability of servers subjected to repeated attacks. The approach is fully automatic, does not require source code, and has low run-time overheads. In our experiments, it was effective against most attacks, and did not produce any false positives.

UR - https://www.scopus.com/pages/publications/33846294027

U2 - 10.1109/CSAC.2005.12

DO - 10.1109/CSAC.2005.12

M3 - Conference contribution

AN - SCOPUS:33846294027

SN - 0769524613

SN - 9780769524610

T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC

SP - 215

EP - 224

BT - Proceedings - 21st Annual Computer Security Applications Conference, ACSAC 2005

Y2 - 5 December 2005 through 9 December 2005

ER -

Automatic generation of buffer overflow attack signatures: An approach based on program behavior models

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this