Swarm Attacks against Network-Level Emulation/Analysis | SpringerLink
Skip to main content
Springer Nature Link
Log in

Swarm Attacks against Network-Level Emulation/Analysis

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5230))

Included in the following conference series:

Abstract

It is always assumed that if the attackers can achieve their goal by exploiting a vulnerability once, they won’t exploit it twice. This assumption shapes our view of what attacks look like, and affects the design of many security systems. In this work, we propose the swarm attack, in which the attacker deliberately exploits the same vulnerability multiple times, each intended to carry out only a small part of the attack goal. We have studied eight systems that detect attacks using network-level emulation/analysis, and find them surprisingly vulnerable to attacks based on this strategy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Akritidis, P., Markatos, E.P., Polychronakis, M., Ananostakis, K.: Stride: Polymorphic sled detection through instruction sequence analysis. In: Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC 2005), Chiba, Japan (May 2005)

    Google Scholar 

  2. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control data attacks are realistic threats. In: Proceedings of the 14th conference on USENIX Security Symposium (USENIX Security 2005), Madison (July 2005)

    Google Scholar 

  3. Chinchani, R., Van Den Berg, E.: A fast static analysis approach to detect exploit code inside network flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  4. Chung, S.P., Mok, A.K.: Allergy Attack Against Automatic Signature Generation. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 61–80. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  5. Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: Proceedings of 20th ACM Symposium on Operating Systems Principles, Brighton (October 2005)

    Google Scholar 

  6. Detristan, T., Ulenspiegel, T., Malcom, Y., von Underduk, M.S.: Polymorphic shellcode engine using spectrum analysis. In: Phrack, vol. 11 (2003)

    Google Scholar 

  7. Fogla, P., Lee, W.: Evading network anomaly detection systems: Formal reasoning and practical techniques. In: Proceedings of the 13th Conference on Computer and Communication Security (CCS 2006), Virginia (October 2006)

    Google Scholar 

  8. Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of 15th USENIX Security Symposium Abstract (USENIX Security 2006), Vancouver (July 2006)

    Google Scholar 

  9. jp. Advanced Doug lea’s malloc exploits, http://doc.bughunter.net/buffer-overflow/advanced-malloc-exploits.html

  10. K2. ADMmutate documentation (2003), http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz

  11. mati@see security.com. Savant 3.1 Web Server Buffer Overflow Tutorial, https://www.securinfos.info/english/security-whitepapers-hacking-tutorials/Savant-BO-tutorial.pdf

  12. Parampalli, C., Sekar, R., Johnson, R.: A practical mimicry attack against powerful system-call monitors. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS 2008), Tokyo (March 2008)

    Google Scholar 

  13. Payer, U., Teufl, P., Lamberger, M.: Hybrid engine for polymorphic shellcode detection. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 19–31. Springer, Heidelberg (2005)

    Google Scholar 

  14. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  15. Markatos, E.P., Anagnostakis, K.G., Polychronakis, M.: Emulation-Based Detection of Non-self-contained Polymorphic Shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)

    Google Scholar 

  16. Determina Security Research. Windows Animated Cursor Stack Overflow Vulnerability, http://www.determina.com/security.research/vulnerabilities/ani-header.html .

  17. Rubin, S., Jha, S., Miller, B.: Automatic generation and analysis of nids attacks. In: Proceedings of the Annual Computer Security Applications Conference 2004 (ACSAC 2004), California (December 2004)

    Google Scholar 

  18. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th Conference on Computer and Communication Security (CCS 2007), Virginia (October 2007)

    Google Scholar 

  19. Sidiroglou, S., Locasto, M.E., Boyd, S.W., Keromytis, A.D.: Building a reactive immune system for software services. In: Proceedings of the USENIX Annual Technical Conference 2005, California (April 2005)

    Google Scholar 

  20. Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 13th Conference on Computer and Communication Security (CCS 2007), Virginia (October 2007)

    Google Scholar 

  21. Toth, T., Kruegel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  22. US-CERT. Vulnerability Note VU#29823: Format string input validation error in wu-ftpd site_exec() function, http://www.kb.cert.org/vuls/id/29823

  23. Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  24. Wang, X., Pan, C.C., Liu, P., Zhu, S.: Sigfree: A signature-free buffer overflow attack blocker. In: Proceedings of 15th USENIX Security Symposium Abstract (USENIX Security 2006), Vancouver (July 2006)

    Google Scholar 

  25. Zhang, Q., Reeves, D.S., Ning, P., Iyer, S.P.: Analyzing network traffic to detect self-decryption exploit code. In: Proceedings of the 2nd ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS 2007), Singapore (March 2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Sciences, University of Texas at Austin, Austin, TX 78712, USA

    Simon P. Chung & Aloysius K. Mok

Authors
  1. Simon P. Chung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aloysius K. Mok
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Richard Lippmann Engin Kirda Ari Trachtenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chung, S.P., Mok, A.K. (2008). Swarm Attacks against Network-Level Emulation/Analysis. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87403-4_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87402-7

  • Online ISBN: 978-3-540-87403-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics