An empirical study of the reliability of UNIX utilities
Communications of the ACM
Symbolic execution and program testing
Communications of the ACM
A requires/provides model for computer attacks
Proceedings of the 2000 workshop on New security paradigms
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
ACM SIGOPS Operating Systems Review - OSDI '02: Proceedings of the 5th symposium on Operating systems design and implementation
Randomized instruction set emulation to disrupt binary code injection attacks
Proceedings of the 10th ACM conference on Computer and communications security
Honeycomb: creating intrusion detection signatures using honeypots
ACM SIGCOMM Computer Communication Review
Malicious Cryptography: Exposing Cryptovirology
Malicious Cryptography: Exposing Cryptovirology
Shield: vulnerability-driven network filters for preventing known vulnerability exploits
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Testing network-based intrusion detection signatures using mutant exploits
Proceedings of the 11th ACM conference on Computer and communications security
Automatic Generation and Analysis of NIDS Attacks
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Minos: Control Data Attack Prevention Orthogonal to Memory Model
Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
RIFLE: An Architectural Framework for User-Centric Information-Flow Security
Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Language-Based Generation and Evaluation of NIDS Signatures
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer)
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An architecture for generating semantics-aware signatures
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Non-control-data attacks are realistic threats
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Accurate buffer overflow detection via abstract payload execution
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Hybrid engine for polymorphic shellcode detection
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Enhancing the accuracy of network-based intrusion detection with host-based context
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
TCPtransform: property-oriented TCP traffic transformation
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
On interactive internet traffic replay
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
A fast static analysis approach to detect exploit code inside network flows
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Execution generated test cases: how to make systems code crash itself
SPIN'05 Proceedings of the 12th international conference on Model Checking Software
Polymorphic worm detection and defense: system design, experimental methodology, and data resources
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Temporal search: detecting hidden malware timebombs with virtual machines
Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
Finding diversity in remote code injection exploits
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Protomatching network traffic for high throughputnetwork intrusion detection
Proceedings of the 13th ACM conference on Computer and communications security
ExecRecorder: VM-based full-system replay for attack analysis and system recovery
Proceedings of the 1st workshop on Architectural and system support for improving software dependability
Minos: Architectural support for protecting control data
ACM Transactions on Architecture and Code Optimization (TACO)
Memory-efficient content filtering hardware for high-speed intrusion detection systems
Proceedings of the 2007 ACM symposium on Applied computing
WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation
IEEE Transactions on Dependable and Secure Computing
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Sweeper: a lightweight end-to-end system for defending against fast worms
Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Bouncer: securing software by blocking bad input
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
On the infeasibility of modeling polymorphic shellcode
Proceedings of the 14th ACM conference on Computer and communications security
Memsherlock: an automated debugger for unknown memory corruption vulnerabilities
Proceedings of the 14th ACM conference on Computer and communications security
Understanding and visualizing full systems with data flow tomography
Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
Better bug reporting with better privacy
Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
Towards Automatically Generating Double-Free Vulnerability Signatures Using Petri Nets
ISC '08 Proceedings of the 11th international conference on Information Security
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Fast and Black-box Exploit Detection and Signature Generation for Commodity Software
ACM Transactions on Information and System Security (TISSEC)
Towards automatic reverse engineering of software security configurations
Proceedings of the 15th ACM conference on Computer and communications security
Eureka: A Framework for Enabling Static Malware Analysis
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Online Network Forensics for Automatic Repair Validation
IWSEC '08 Proceedings of the 3rd International Workshop on Security: Advances in Information and Computer Security
Panalyst: privacy-aware remote error analysis on commodity software
SS'08 Proceedings of the 17th conference on Security symposium
A rough set approach for automatic key attributes identification of zero-day polymorphic worms
Expert Systems with Applications: An International Journal
Proceedings of the 41st annual IEEE/ACM International Symposium on Microarchitecture
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
A hardware platform for efficient worm outbreak detection
ACM Transactions on Design Automation of Electronic Systems (TODAES)
Self-healing: science, engineering, and fiction
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
Mining Frequent Patterns from Network Data Flow
ADMA '09 Proceedings of the 5th International Conference on Advanced Data Mining and Applications
Journal of Systems and Software
DROP: Detecting Return-Oriented Programming Malicious Code
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Client-side detection of XSS worms by monitoring payload propagation
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Thwarting zero-day polymorphic worms with network-level length-based signature generation
IEEE/ACM Transactions on Networking (TON)
A behavioral analysis engine for network traffic
CCNC'10 Proceedings of the 7th IEEE conference on Consumer communications and networking conference
Mining frequent patterns from network flows for monitoring network
Expert Systems with Applications: An International Journal
An empirical study of real-world polymorphic code injection attacks
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Mimimorphism: a new approach to binary code obfuscation
Proceedings of the 17th ACM conference on Computer and communications security
HookScout: proactive binary-centric hook detection
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Behavior-based worm detectors compared
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Cloud-based malware detection for evolving data streams
ACM Transactions on Management Information Systems (TMIS)
Dataflow Tomography: Information Flow Tracking For Understanding and Visualizing Full Systems
ACM Transactions on Architecture and Code Optimization (TACO)
Paragraph: thwarting signature learning by training maliciously
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Generating simplified regular expression signatures for polymorphic worms
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
Proceedings of the 2012 workshop on New security paradigms
Estimation of the available bandwidth ratio of a remote link or path segments
Computer Networks: The International Journal of Computer and Telecommunications Networking
Covert computation: hiding code in code for obfuscation purposes
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Hi-index | 0.00 |
Vulnerabilities that allow worms to hijack the control flow of each host that they spread to are typically discovered months before the worm outbreak, but are also typically discovered by third party researchers. A determined attacker could discover vulnerabilities as easily and create zero-day worms for vulnerabilities unknown to network defenses. It is important for an analysis tool to be able to generalize from a new exploit observed and derive protection for the vulnerability.Many researchers have observed that certain predicates of the exploit vector must be present for the exploit to work and that therefore these predicates place a limit on the amount of polymorphism and metamorphism available to the attacker. We formalize this idea and subject it to quantitative analysis with a symbolic execution tool called DACODA. Using DACODA we provide an empirical analysis of 14 exploits (seven of them actual worms or attacks from the Internet, caught by Minos with no prior knowledge of the vulnerabilities and no false positives observed over a period of six months) for four operating systems.Evaluation of our results in the light of these two models leads us to conclude that 1) single contiguous byte string signatures are not effective for content filtering, and token-based byte string signatures composed of smaller substrings are only semantically rich enough to be effective for content filtering if the vulnerability lies in a part of a protocol that is not commonly used, and that 2) practical exploit analysis must account for multiple processes, multithreading, and kernel processing of network data necessitating a focus on primitives instead of vulnerabilities.