Evolving Buffer Overflow Attacks with Detector Feedback

Authors:
H. Gunes Kayacik;Malcolm Iain Heywood;A. Nur Zincir-Heywood
Affiliations:
Faculty of Computer Science, Dalhousie University, 6050 University Avenue. Halifax. NS., Canada;Faculty of Computer Science, Dalhousie University, 6050 University Avenue. Halifax. NS., Canada;Faculty of Computer Science, Dalhousie University, 6050 University Avenue. Halifax. NS., Canada
Venue:
Proceedings of the 2007 EvoWorkshops 2007 on EvoCoMnet, EvoFIN, EvoIASP,EvoINTERACTION, EvoMUSART, EvoSTOC and EvoTransLog: Applications of Evolutionary Computing
Year:
2009

Citing 6
Cited 3

Mimicry attacks on host-based intrusion detection systems

Proceedings of the 9th ACM conference on Computer and communications security
Hiding Intrusions: From the Abnormal to the Normal and Beyond

IH '02 Revised Papers from the 5th International Workshop on Information Hiding
Evolving Successful Stack Overflow Attacks for Vulnerability Testing

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
On evolving buffer overflow attacks using genetic programming

Proceedings of the 8th annual conference on Genetic and evolutionary computation
Automating mimicry attacks using static binary analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Undermining an anomaly-based intrusion detection system using common exploits

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

Can a good offense be a good defense? Vulnerability testing of anomaly detectors through an artificial arms race

Applied Soft Computing
Using code bloat to obfuscate evolved network traffic

EvoCOMNET'10 Proceedings of the 2010 international conference on Applications of Evolutionary Computation - Volume Part II
Network protocol discovery and analysis via live interaction

EvoApplications'12 Proceedings of the 2012t European conference on Applications of Evolutionary Computation

Quantified Score

Hi-index	0.00

Visualization

Abstract

A mimicry attack is an exploit in which basic behavioral objectives of a minimalist 'core' attack are used to design multiple attacks achieving the same objective from the same application. Research in mimicry attacks is valuable in determining and eliminating detector weaknesses. In this work, we provide a process for evolving all components of a mimicry attack relative to the Stide (anomaly) detector under a Traceroute exploit. To do so, feedback from the detector is directly incorporated into the fitness function, thus guiding evolution towards potential blind spots in the detector. Results indicate that we are able to evolve mimicry attacks that reduce the detector anomaly rate from ~67% of the original core exploit, to less than 3%, effectively making the attack indistinguishable from normal behaviors.