Scalable network-based buffer overflow attack detection

Fu Hau Hsu; Fanglu Guo; Tzi Cker Chiueh

doi:10.1145/1185347.1185370

Scalable network-based buffer overflow attack detection

Fu Hau Hsu, Fanglu Guo, Tzi Cker Chiueh

資訊工程學系

研究成果: 書貢獻/報告類型 › 會議論文篇章 › 同行評審

13 引文斯高帕斯（Scopus）

摘要

Buffer overflow attack is the main attack method that most if not all existing malicious worms use to propagate themselves from machine to machine. Although a great deal of research has been invested in defense mechanisms against buffer overflow attack, most of them require modifications to the network applications and/or the platforms that host them. Being an extension work of CTCP, this paper presents a network-based low performance overhead buffer overflow attack detection system called Nebula ¹ NEtwork-based BUffer overfLow Attack detection, which can detect both known and zero-day buffer overflow attacks based solely on the packets observed without requiring any modifications to the end hosts. Moreover, instead of deriving a specific signature for each individual buffer overflow attack instance, Nebula uses a generalized signature that can capture all known variants of buffer overflow attacks while reducing the number of false positives to a negligible level. In addition, Nebula is built on a centralized TCP/IP architecture that effectively defeats all existing NIDS evasion techniques. Finally, Nebula incorporates a payload type identification mechanism that reduces further the false positive rate and scales the proposed buffer overflow attack detection scheme to gigabit network links.

原文	???core.languages.en_GB???
主出版物標題	ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems
頁面	163-171
頁數	9
DOIs	https://doi.org/10.1145/1185347.1185370
出版狀態	已出版 - 2006
事件	2nd ACM/IEEE Symposium on Architectures for Networking and Communications Systems, ANCS 2006 - San Jose, CA, United States 持續時間: 3 12月 2006 → 5 12月 2006

出版系列

名字	ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems

???event.eventtypes.event.conference???

???event.eventtypes.event.conference???	2nd ACM/IEEE Symposium on Architectures for Networking and Communications Systems, ANCS 2006
國家/地區	United States
城市	San Jose, CA
期間	3/12/06 → 5/12/06

存取文件

10.1145/1185347.1185370

引用此

Hsu, F. H., Guo, F., & Chiueh, T. C. (2006). Scalable network-based buffer overflow attack detection. 於 ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (頁 163-171). (ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems). https://doi.org/10.1145/1185347.1185370

@inproceedings{191fb17f224a46bea01c19855fda45ab,

title = "Scalable network-based buffer overflow attack detection",

abstract = "Buffer overflow attack is the main attack method that most if not all existing malicious worms use to propagate themselves from machine to machine. Although a great deal of research has been invested in defense mechanisms against buffer overflow attack, most of them require modifications to the network applications and/or the platforms that host them. Being an extension work of CTCP, this paper presents a network-based low performance overhead buffer overflow attack detection system called Nebula 1 NEtwork-based BUffer overfLow Attack detection, which can detect both known and zero-day buffer overflow attacks based solely on the packets observed without requiring any modifications to the end hosts. Moreover, instead of deriving a specific signature for each individual buffer overflow attack instance, Nebula uses a generalized signature that can capture all known variants of buffer overflow attacks while reducing the number of false positives to a negligible level. In addition, Nebula is built on a centralized TCP/IP architecture that effectively defeats all existing NIDS evasion techniques. Finally, Nebula incorporates a payload type identification mechanism that reduces further the false positive rate and scales the proposed buffer overflow attack detection scheme to gigabit network links.",

keywords = "Buffer overflow attacks, CTCP, Generalized attack signatures, Network-based intrusion detection, Payload bypassing, Return-into-libc attacks",

author = "Hsu, {Fu Hau} and Fanglu Guo and Chiueh, {Tzi Cker}",

year = "2006",

doi = "10.1145/1185347.1185370",

language = "???core.languages.en_GB???",

isbn = "1595935800",

series = "ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems",

pages = "163--171",

booktitle = "ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems",

note = "null ; Conference date: 03-12-2006 Through 05-12-2006",

}

Hsu, FH, Guo, F & Chiueh, TC 2006, Scalable network-based buffer overflow attack detection. 於 ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems. ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems, 頁 163-171, 2nd ACM/IEEE Symposium on Architectures for Networking and Communications Systems, ANCS 2006, San Jose, CA, United States, 3/12/06. https://doi.org/10.1145/1185347.1185370

Scalable network-based buffer overflow attack detection. / Hsu, Fu Hau; Guo, Fanglu; Chiueh, Tzi Cker.

ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems. 2006. p. 163-171 (ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems).

研究成果: 書貢獻/報告類型 › 會議論文篇章 › 同行評審

TY - GEN

T1 - Scalable network-based buffer overflow attack detection

AU - Hsu, Fu Hau

AU - Guo, Fanglu

AU - Chiueh, Tzi Cker

PY - 2006

Y1 - 2006

N2 - Buffer overflow attack is the main attack method that most if not all existing malicious worms use to propagate themselves from machine to machine. Although a great deal of research has been invested in defense mechanisms against buffer overflow attack, most of them require modifications to the network applications and/or the platforms that host them. Being an extension work of CTCP, this paper presents a network-based low performance overhead buffer overflow attack detection system called Nebula 1 NEtwork-based BUffer overfLow Attack detection, which can detect both known and zero-day buffer overflow attacks based solely on the packets observed without requiring any modifications to the end hosts. Moreover, instead of deriving a specific signature for each individual buffer overflow attack instance, Nebula uses a generalized signature that can capture all known variants of buffer overflow attacks while reducing the number of false positives to a negligible level. In addition, Nebula is built on a centralized TCP/IP architecture that effectively defeats all existing NIDS evasion techniques. Finally, Nebula incorporates a payload type identification mechanism that reduces further the false positive rate and scales the proposed buffer overflow attack detection scheme to gigabit network links.

AB - Buffer overflow attack is the main attack method that most if not all existing malicious worms use to propagate themselves from machine to machine. Although a great deal of research has been invested in defense mechanisms against buffer overflow attack, most of them require modifications to the network applications and/or the platforms that host them. Being an extension work of CTCP, this paper presents a network-based low performance overhead buffer overflow attack detection system called Nebula 1 NEtwork-based BUffer overfLow Attack detection, which can detect both known and zero-day buffer overflow attacks based solely on the packets observed without requiring any modifications to the end hosts. Moreover, instead of deriving a specific signature for each individual buffer overflow attack instance, Nebula uses a generalized signature that can capture all known variants of buffer overflow attacks while reducing the number of false positives to a negligible level. In addition, Nebula is built on a centralized TCP/IP architecture that effectively defeats all existing NIDS evasion techniques. Finally, Nebula incorporates a payload type identification mechanism that reduces further the false positive rate and scales the proposed buffer overflow attack detection scheme to gigabit network links.

KW - Buffer overflow attacks

KW - CTCP

KW - Generalized attack signatures

KW - Network-based intrusion detection

KW - Payload bypassing

KW - Return-into-libc attacks

UR - http://www.scopus.com/inward/record.url?scp=34547687659&partnerID=8YFLogxK

U2 - 10.1145/1185347.1185370

DO - 10.1145/1185347.1185370

M3 - 會議論文篇章

AN - SCOPUS:34547687659

SN - 1595935800

SN - 9781595935809

T3 - ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems

SP - 163

EP - 171

BT - ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems

Y2 - 3 December 2006 through 5 December 2006

ER -

Hsu FH, Guo F, Chiueh TC. Scalable network-based buffer overflow attack detection. 於 ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems. 2006. p. 163-171. (ANCS 2006 - Proceedings of the 2006 ACM/IEEE Symposium on Architectures for Networking and Communications Systems). https://doi.org/10.1145/1185347.1185370