The design and implementation of tripwire: a file system integrity checker
CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Intrusion Detection via System Call Traces
IEEE Software
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Statically detecting likely buffer overflow vulnerabilities
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Hi-index | 0.00 |
The rapid increase of software vulnerabilities shows us the limitation of patch-dependent countermeasures for malicious code. We propose a patch-independent protection technique of remote infection which enables each process to identify itself with ”being infected” and nullify itself spontaneously. Our system is operating system independent and therefore does not need software rebuilding. Previously, no method for stopping malicious process without recompiling source code or rebuilding software has been proposed. In proposal system, target process is running under self debugging mode which is activated by enhancing debug() exception handler and utilizing MSR debug register. In this paper we show the effectiveness of proposal method by protecting the remote process infection without patching security holes. Implemention of device driver call back function and BranchIP recorder provides the real-time prevention of unregistered worm attack through Internet. In experiment, function test of stack buffer overflow of Win32.SQLExp.Worm is presented. Also CPU utilization corresponding to the number of calling function and some database operations is showed.