Article

Packet vaccine: black-box exploit detection and signature generation

Authors:

Jun Xu,

Jong Youl ChoiAuthors Info & Claims

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

Pages 37 - 46

https://doi.org/10.1145/1180405.1180412

Published: 30 October 2006 Publication History

Get Access

Abstract

In biology,a vaccine is a weakened strain of a virus or bacterium that is intentionally injected into the body for the purpose of stimulating antibody production.Inspired by this idea, we propose a packet vaccine mechanism that randomizes address-like strings in packet payloads to carry out fast exploit detection, vulnerability diagnosis and signature generation. An exploit with a randomized jump address behaves like a vaccine: it will likely cause an exception in a vulnerable program's process when attempting to hijack the control flow,and thereby expose itself. Taking that exploit as a template, our signature generator creates a set of new vaccines to probe the program, in an attempt to uncover the necessary conditions for the exploit to happen. A signature is built upon these conditions to shield the underlying vulnerability from further attacks. In this way, packet vaccine detects and fllters exploits in a black-box fashion,i.e., avoiding the expense of tracking the program's execution flow. We present the design of the packet vaccine mechanism and an example of its application. We also describe our proof-of-concept implementation and the evaluation of our technique using real exploits.

References

[1]

K. G. Anagnostakis, S. Siridoglou, P. Akritidis, K. Xinidis, E. Markatos, and A. Keromytis. Detecting targeted attacks using shadow honeypots.In Proceedings of USENIX Security Symposium 2005 August 2005.

Digital Library

Google Scholar

[2]

J. H. Barton, E. W. Czeck, Z. Z. Segall, and D. P. Siewiorek. Fault injection experiments using FIAT. IEEE Trans. Comput. 39(4):575--582, 1990.

Digital Library

Google Scholar

[3]

David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha. Towards automatic generation of vulnerability-based signatures.In Proceedings of the 2006 IEEE Symposium on Security and Privacy 2006.

Digital Library

Google Scholar

[4]

George J. Carrette. CRASHME: Random input testing. http://people.delphiforums.com/gjc/crashme.html as of March, 2006.

Google Scholar

Cited By

View all

Eskandari RShajari MGhahfarokhi M(2019)ERES: an extended regular expression signature for polymorphic worm detectionJournal of Computer Virology and Hacking Techniques10.1007/s11416-019-00330-115:3(177-194)Online publication date: 26-Apr-2019
https://doi.org/10.1007/s11416-019-00330-1
Zhang TLee WGao MZhou J(2019)File Guard: automatic format-based media file sanitizationInternational Journal of Information Security10.1007/s10207-019-00440-3Online publication date: 6-Jun-2019
https://doi.org/10.1007/s10207-019-00440-3
Al-Shaer EWei JHamlen KWang CAl-Shaer EWei JHamlen KWang C(2019)Malware Deception with Automatic Analysis and Generation of HoneyResourceAutonomous Cyber Deception10.1007/978-3-030-02110-8_11(209-235)Online publication date: 3-Jan-2019
https://doi.org/10.1007/978-3-030-02110-8_11
Show More Cited By

Index Terms

Packet vaccine: black-box exploit detection and signature generation
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Fast and automated generation of attack signatures: a basis for building self-protecting servers
CCS '05: Proceedings of the 12th ACM conference on Computer and communications security

Large-scale attacks, such as those launched by worms and zombie farms, pose a serious threat to our network-centric society. Existing approaches such as software patches are simply unable to cope with the volume and speed with which new vulnerabilities ...
Fast and Black-box Exploit Detection and Signature Generation for Commodity Software

In biology, a vaccine is a weakened strain of a virus or bacterium that is intentionally injected into the body for the purpose of stimulating antibody production. Inspired by this idea, we propose a packet vaccine mechanism that randomizes address-like ...
Collaborative Internet Worm Containment

Large-scale worm outbreaks that lead to distributed denial-of-service (DDoS) attacks pose a major threat to the Internet infrastructureýs security. Fast containment is crucial for minimizing damage and preventing flooding attacks against network hosts. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

October 2006

434 pages

ISBN:1595935185

DOI:10.1145/1180405

General Chair:
Ari Juels
RSA Laboratories
,
Program Chairs:
Rebecca Wright
Stevens Institute of Technology
,
Sabrina De Capitani di Vimercati
University of Milan, Italy

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS06

Sponsor:

CCS06: 13th ACM Conference on Computer and Communications Security 2006

October 30 - November 3, 2006

Virginia, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
938
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Eskandari RShajari MGhahfarokhi M(2019)ERES: an extended regular expression signature for polymorphic worm detectionJournal of Computer Virology and Hacking Techniques10.1007/s11416-019-00330-115:3(177-194)Online publication date: 26-Apr-2019
https://doi.org/10.1007/s11416-019-00330-1
Zhang TLee WGao MZhou J(2019)File Guard: automatic format-based media file sanitizationInternational Journal of Information Security10.1007/s10207-019-00440-3Online publication date: 6-Jun-2019
https://doi.org/10.1007/s10207-019-00440-3
Al-Shaer EWei JHamlen KWang CAl-Shaer EWei JHamlen KWang C(2019)Malware Deception with Automatic Analysis and Generation of HoneyResourceAutonomous Cyber Deception10.1007/978-3-030-02110-8_11(209-235)Online publication date: 3-Jan-2019
https://doi.org/10.1007/978-3-030-02110-8_11
Noce JLopes YFernandes NAlbuquerque CMuchaluat-Saade D(2017)Identifying vulnerabilities in smart gric communication networks of electrical substations using GEESE 2.02017 IEEE 26th International Symposium on Industrial Electronics (ISIE)10.1109/ISIE.2017.8001232(111-116)Online publication date: Jun-2017
https://doi.org/10.1109/ISIE.2017.8001232
Eskandari RShajari MAsadi A(2015)Automatic signature generation for polymorphic worms by combination of token extraction and sequence alignment approaches2015 7th Conference on Information and Knowledge Technology (IKT)10.1109/IKT.2015.7288733(1-6)Online publication date: May-2015
https://doi.org/10.1109/IKT.2015.7288733
Yan QLi YDeng R(2014)Malware Protection on RFID-Enabled Supply Chain Management Systems in the EPCglobal NetworkCrisis Management10.4018/978-1-4666-4707-7.ch058(1166-1188)Online publication date: 2014
https://doi.org/10.4018/978-1-4666-4707-7.ch058
Long FSidiroglou-Douskos SKim DRinard M(2014)Sound input filter generation for integer overflow errorsACM SIGPLAN Notices10.1145/2578855.253588849:1(439-452)Online publication date: 8-Jan-2014
https://dl.acm.org/doi/10.1145/2578855.2535888
Long FSidiroglou-Douskos SKim DRinard MJagannathan SSewell P(2014)Sound input filter generation for integer overflow errorsProceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages10.1145/2535838.2535888(439-452)Online publication date: 11-Jan-2014
https://dl.acm.org/doi/10.1145/2535838.2535888
Kaur RSingh M(2014)A Survey on Zero-Day Polymorphic Worm Detection TechniquesIEEE Communications Surveys & Tutorials10.1109/SURV.2014.022714.0016016:3(1520-1549)Online publication date: Nov-2015
https://doi.org/10.1109/SURV.2014.022714.00160
Li FHuang CHuang JPeng W(2014)Feedback-based smartphone strategic sampling for BYOD security2014 23rd International Conference on Computer Communication and Networks (ICCCN)10.1109/ICCCN.2014.6911814(1-8)Online publication date: Aug-2014
https://doi.org/10.1109/ICCCN.2014.6911814
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Fast and automated generation of attack signatures: a basis for building self-protecting servers

Fast and Black-box Exploit Detection and Signature Generation for Commodity Software

Collaborative Internet Worm Containment