To read the full-text of this research, you can request a copy directly from the authors.
... To discover vulnerability exploitation behavior, researchers have proposed a series of detection methods [1][2][3][4][5][6][7][8][9][10][11][12]. They can be divided into two categories: host-based detection methods and traffic-based detection methods. ...
... Borders et al. [9] propose Spector, a traffic payload analysis engine, which uses symbolic execution technology to extract meaningful API calls in shellcode and generate the underlying disassembly code. Kanemoto et al. [10] propose an attack detection method based on code simulation, combined with IDS rules to detect whether remote shellcode attacks are successful. Pratomo et al. [11] propose Blatta, a method of detecting early exploit traffic using a cyclic neural network. ...
As the most crucial link in the network kill chain, exploiting a vulnerability is viewed as one of the most popular attack vectors to get the control authority of the system, which is dangerous for legal users. Therefore, an effective exploit traffic detection method is urgent. However, current methods are almost based on pattern matching, invalid for encrypted traffic. To address this problem, we propose a reverse shell-based exploit traffic detection method, ETDetector. Our key insight is that the reverse shell attack often coexists with vulnerability exploitation as one of the most popular exploit behaviors. So, we first extract the fusion information feature from original features, such as the packet delay sequence, as input of a decision tree model to identify reverse shell traffic in the shellcode execution stage. Then, we trace suspicious traffic in the shellcode delivery stage by reconstructing the session relationship of the two stages above. Compared with Blatta, using a cyclic neural network to detect early exploit traffic, the detection rate of ETDetector is increased by 50% and valid for encrypted exploit traffic. In addition, we propose a traffic stratification method based on a bisecting K-means algorithm, which can intuitively show the traffic communication behavior and improve the interpretability of ETDetector.
... Anthropological studies found that SOC analysts are often not satisfied with their job [15], [16]. They are overloaded with mundane, tedious tasks, and the currently deployed tools are not sophisticated enough to automate these tasks [82]- [84]. SOC analysts' primary responsibility, especially at tier 1, is to follow Standard Operating Procedures (SOPs), also called playbooks. ...
... Increase Automation: Increasing automation helps decrease the amount of mundane and boring tasks [83], [84]. This can be achieved with more efficient and helpful tools deployed within the SOC. ...
Since the introduction of Security Operations Centers (SOCs) around 15 years ago, their importance has grown significantly, especially over the last five years. This is mainly due to the paramount necessity to prevent major cyber incidents and the resulting adoption of centralized security operations in businesses. Despite their popularity, existing academic work on the topic lacks a generally accepted view and focuses mainly on fragments rather than looking at it holistically. These shortcomings impede further innovation. In this paper, a comprehensive literature survey is conducted to collate different views. The discovered literature is then used to determine the current state-of-the-art of SOCs and derive primary building blocks. Current challenges within a SOC are identified and summarized. A notable shortcoming of academic research is its focus on the human and technological aspects of a SOC while neglecting the connection of these two areas by specific processes (especially by non-technical processes). However, this area is essential for leveraging the full potential of a SOC in the future.
... Selain itu, terdapat penelitian yang dilakukan oleh (Kanemoto et al., 2019) di mana mereka menggunakan metode shellcode emulation yang berlandaskan kepada nilai akurasi dan performa. Mereka bertujuan untuk mendapatkan model yang dapat mengidentifikasi pemberitahuan yang penting yang dapat memberikan informasi mengenai adanya gangguan keamanan pada sistem secara otomatis. ...
Internet dapat menghubungkan satu orang dengan orang lain dengan menggunakan perangkat masing-masing. Internet sendiri memiliki dampak positif dan negatif. Salah satu contoh dampak negatif dari internet adalah adanya malware yang dapat mengganggu atau bahkan merusak perangkat atau penggunanya; itulah mengapa keamanan siber diperlukan. Banyak cara yang dapat dilakukan untuk mencegah atau mendeteksi malware. Salah satunya adalah dengan menggunakan teknik machine learning. Dataset pelatihan dan pengujian untuk eksperimen ini berasal dari dataset UNSW_NB15. K-Nearest Neighbour (KNN), Decision Tree, dan Naïve Bayes diimplementasikan untuk mengklasifikasikan apakah sebuah record pada data testing merupakan serangan Shellcode atau non-Shellcode. Classifier KNN, Decision Tree, dan Naïve Bayes mencapai tingkat akurasi masing-masing sebesar 96.82%, 97.08%, dan 63.43%. Hasil dari penelitian ini diharapkan dapat memberikan wawasan mengenai penggunaan machine learning dalam mendeteksi atau mengklasifikasikan malwares atau jenis serangan siber lainnya
... Bindshell is a tactical approach that involves establishing a root shell and binding its input and output streams to a socket while listening on a port selected by the attacker [5]. This smart use of bindshell shellcodes creates a dynamic scenario in which the victim server actively seeks new connections, leaving an open route for the attacker to establish a new network connection [6]. The power of bindshell resides in its ability to not only create a regulated environment for remote access, but also to develop a symbiotic connection architecture that allows for the orchestration of instructions and activities across networked nodes. ...
... Borders et al. [9] proposed Spector, a traffic load analysis engine, which uses symbolic execution technology to extract meaningful API calls in shellcode and generate the underlying disassembly code. In 2019, Kanemoto et al. [10] proposed an attack detection method based on code simulation technology, combined with IDS rules to detect whether remote shellcode attacks are successful. In 2020, Pratomo et al. [11] proposed Blatta, a method of detecting early exploit traffic by using a cyclic neural network. ...
Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. We propose a traffic traceback method of vulnerability exploitation to solve the above problems based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.
... developed an alert-triage technology [2,3] that automatically determines the success or failure of an attack on a server (from a network communication) from the trace of the attack and determines whether the alert associated with that attack should be given priority. This is the world's first technology for performing triage (prioritization) by focusing on the success or failure of an attack. ...
... Borders et al. [9] proposed Spector, a traffic load analysis engine, which uses symbolic execution technology to extract meaningful API calls in shellcode and generate the underlying disassembly code. In 2019, Kanemoto et al. [10] proposed an attack detection method based on code simulation technology, combined with IDS rules to detect whether remote shellcode attacks are successful. In 2020, Pratomo et al. [11] proposed Blatta, a method of detecting early exploit traffic by using a cyclic neural network. ...
Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. To solve the above problems, we propose a traffic traceback method of vulnerability exploitation based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.
Remote code-injection attacks are one of the most frequently used attacking vectors in computer security. To detect and analyze in- jected code (often called shellcode), some researchers have proposed network- level code emulators. A network-level code emulator can detect shellcode accurately and help analysts to understand the behavior of shellcode. We demonstrated that memory-scanning attacks can evade current emula- tors, and propose Yataglass, an elaborated network-level code emulator, that enables us to analyze shellcode that incorporates memory-scanning attacks. According to our experimental results, Yataglass successfully emulated and analyzed real shellcode into which we had manually incor- porated memory-scanning attacks.
An Intrusion Detection System (IDS) is a crucial element of a network security posture. One class of IDS, called signature-based network IDSs, monitors network traffic, looking for evidence of malicious behavior as specified in attack descriptions (referred to as signatures). Many studies have reported that IDSs can generate thousands of alarms a day, many of which are false alarms. The problem often lies in the low accuracy of IDS signatures. It is therefore important to have more accurate signatures in order to reduce the number of false alarms. One part of the false alarm problem is the inability of IDSs to verify attacks (i.e. distinguish between successful and failed attacks). If IDSs were able to accurately verify attacks, this would reduce the number of false alarms a network administrator has to investigate. In this paper, we demonstrate the feasibility of using a data mining algorithm to automatically generate IDS verification rules. We show that this automated approach is effective in reducing the number of false alarms when compared to other widely used and maintained IDSs.
An Intrusion Detection System (IDS) is a crucial element of a network security posture. Although there are many IDS products available, it is rather difficult to find information about their accuracy. Only a few organizations evaluate these products. Furthermore, the data used to test and evaluate these IDS is usually proprietary. Thus, the research community cannot easily evaluate the next generation of IDS. Toward this end, DARPA provided in 1998, 1999 and 2000 an Intrusion Detection Evaluation Data Set. However, no new data set has been released by DARPA since 2000, in part because of the cumbersomeness of the task. In this paper, we propose a strategy to address certain aspects of generating a publicly available documented data set for testing and evaluating intrusion detection systems. We also present a tool that automatically analyzes and evaluates IDS using our proposed data set.
Intrusion Detection Systems (IDS) use dierent techniques to reduce the number of false positives they generate. Simple network context information such as the communication session state has been added in IDS signatures to only raise alarms in the proper context. However, this is often not sucient and more network context information needs to be added to these Stateful IDS (SIDS) signatures to reduce the number of false positives. IDS are also used with other network mon- itoring systems such as Vulnerability Detection Sys- tems (VDS) and vulnerability databases in centralized correlation systems to determine the importance of an alarm. The correlation mechanism relies on the accu- racy of a standardized relationship between IDS signa- tures, VDS signatures and the vulnerability databases. In this paper, we study the strength of the relationships between Snort signatures, Nessus scripts and the Bug- traq vulnerability database, as well as their potential for information correlation and for deriving network con- text that could be incorporated in intrusion detection signatures.
Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. Unfortunately, most approaches to correlation concentrate on just a few components of the process, providing formalisms and techniques that address only specific correlation issues. This paper presents a general correlation model that includes a comprehensive set of components and a framework based on this model. A tool using the framework has been applied to a number of well-known intrusion detection data sets to identify how each component contributes to the overall goals of correlation. The results of these experiments show that the correlation components are effective in achieving alert reduction and abstraction. They also show that the effectiveness of a component depends heavily on the nature of the data set analyzed.
Software patching has not been e#ective as a first-line defense against large-scale worm attacks, even when patches have long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields --- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, but before a patch is applied. These filters examine the incoming or outgoing tra#c of vulnerable applications, and correct tra#c that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side e#ects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits [43].
CPU emulator is a program emulating the internal operation of a physical CPU in
software. CPU emulator plays a vital role and has a lot of applications in
computer security area, such as reversing obfuscated malware or verifying code
semantics.
This paper presents \textit{Unicorn} emulator framework, which offers some
unparalleled features: architecture-independent API, multi-architectures,
multi-platforms, thread-safe and open source. We will introduce some existing
emulators, then go into details of their design/implementation and explains
their current issues. Next, the architecture of Unicorn will be discussed with
focus on the challenges of designing and implementing it.
Unicorn aims to lay the ground for innovative works. To conclude this paper,
some new advanced tools built on top of our engine will be introduced to
demonstrate its power, so the readers can see how Unicorn can open up many
opportunities for future of security research and development.
Find more information and the full source code of Unicorn at its homepage http://www.unicorn-engine.org.
Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an instrumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., encrypted) shellcode. In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.
Software patching has not been effective as a first-line defense against large-scale worm attacks, even when patches have long been available for their corresponding vulnerabilities. Generally, people have been reluctant to patch their systems immediately, because patches are perceived to be unreliable and disruptive to apply. To address this problem, we propose a first-line worm defense in the network stack, using shields -- vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, but before a patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and correct traffic that exploits vulnerabilities. Shields are less disruptive to install and uninstall, easier to test for bad side effects, and hence more reliable than traditional software patches. Further, shields are resilient to polymorphic or metamorphic variations of exploits [43].In this paper, we show that this concept is feasible by describing a prototype Shield framework implementation that filters traffic above the transport layer. We have designed a safe and restrictive language to describe vulnerabilities as partial state machines of the vulnerable application. The expressiveness of the language has been verified by encoding the signatures of several known vulnerabilites. Our evaluation provides evidence of Shield's low false positive rate and small impact on application throughput. An examination of a sample set of known vulnerabilities suggests that Shield could be used to prevent exploitation of a substantial fraction of the most dangerous ones.
A network based Intrusion Detection System (IDS) gathers and analyzes network packets and report possible low level security violations to a system administrator. In a large network setup, these low level and partial reports become unmanageable to the administrator resulting in some unattended events. Further it is known that state of the art IDS generate many false alarms. There are techniques proposed in IDS literature to minimize false alarms, many of which are widely used in practice in commercial Security Information and Event Management (SIEM) tools. In this paper, we review existing false alarm minimization techniques in signature-based Network Intrusion Detection System (NIDS). We give a taxonomy of false alarm minimization techniques in signature-based IDS and present the pros and cons of each class. We also study few of the prominent commercial SIEM tools which have implemented these techniques along with their performance. Finally, we conclude with some directions to the future research.
Network-based dynamic shellcode detection, in which network traffic is examined by being executed on an emulator for detecting essential behavior of shellcode, has been studied intensively in recent years. The main issues of dynamic shellcode detection are (1) the computational cost is high and (2) it can detect only shellcodes whose behaviors match predefined detection rules. In this paper, we propose a novel dynamic shellcode detection method which is much faster and detects more variety of x86 shellcodes than existing methods. Our method utilizes a combination of static detection and emulation-based dynamic detection. Namely, it first performs a static binary string search over the to-be-examined traffic for particular x86 instructions to spot candidates of shellcodes. Then, it performs the dynamic detection on the candidates. Moreover, we add a new detection rule for our dynamic detection, which allows us to detect shellcodes for Windows systems or Linux systems. An evaluation with honeypot traffic shows an impressive improvement of the proposed method in terms of computational cost. Also, an evaluation using a penetration testing tool shows that the proposed method can detect more variety of shellcodes than the best existing method.
As state–of–the–art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques
such as polymorphism and metamorphism to evade detection. Although recent results have been promising, most existing proposals
can be defeated using only minor enhancements to the attack vector. We present a heuristic detection method that scans network
traffic streams for the presence of polymorphic shellcode. Our approach relies on a NIDS–embedded CPU emulator that executes
every potential instruction sequence, aiming to identify the execution behavior of polymorphic shellcodes. Our analysis demonstrates
that the proposed approach is more robust to obfuscation techniques like self-modifications compared to previous proposals,
but also highlights advanced evasion techniques that need to be more closely examined towards a satisfactory solution to the
polymorphic shellcode detection problem.
Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an improvement of string-based signature-matching. Rather than matching fixed strings in isolation, we augment the matching process with additional context. When designing an efficient signature engine for the NIDS bro, we provide low-level context by using regular expressions for matching, and high-level context by taking advantage of the semantic information made available by bro's protocol analysis and scripting language. Therewith, we greatly enhance the signature's expressiveness and hence the ability to reduce false positives. We present several examples such as matching requests with replies, using knowledge of the environment, defining dependencies between signatures to model step-wise attacks, and recognizing exploit scans.To leverage existing efforts, we convert the comprehensive signature set of the popular freeware NIDS snort into bro's language. While this does not provide us with improved signatures by itself, we reap an established base to build upon. Consequently, we evaluate our work by comparing to snort, discussing in the process several general problems of comparing different NIDSs.
A common way by which attackers gain control of hosts is through remote exploits. A new dimension to the problem is added by worms which use exploit code to self-propagate, and are becoming a commonplace occurrence. Defense mechanisms exist but popular ones are signature-based techniques which use known byte patterns, and they can be thwarted using polymorphism, metamorphism and other obfuscations. In this paper, we argue that exploit code is characterized by more than just a byte pattern because, in addition, there is a definite control and data flow. We propose a fast static analysis based approach which is essentially a litmus test and operates by making a distinction between data, programs and program-like exploit code. We have implemented a prototype called styx and evaluated it against real data collected at our organizational network. Results show that it is able to detect a variety of exploit code and can also generate very specific signatures. Moreover, it shows initial promise against polymorphism and metamorphism.
We propose a method to verify the result of attacks detected by signature-based network intrusion detection systems using lightweight protocol analysis. The observation is that network protocols often have short meaningful status codes saved at the beginning of server responses upon client requests. A successful intrusion that alters the behavior of a network application server often results in an unexpected server response, which does not contain the valid protocol status code. This can be used to verify the result of the intrusion attempt. We then extend this method to verify the result of attacks that still generate valid protocol status code in the server responses. We evaluate this approach by augmenting Snort signatures and testing on real world data. We show that some simple changes to Snort signatures can effectively verify the result of attacks against the application servers, thus significantly improve the quality of alerts.
In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exercised by a sample exploit instead of the semantics or syntax of the exploit itself. We show the semantics of a vulnerability define a language which contains all and only those inputs that exploit the vulnerability. A vulnerability signature is a representation (e.g., a regular expression) of the vulnerability language. Unlike exploit-based signatures whose error rate can only be empirically measured for known test cases, the quality of a vulnerability signature can be formally quantified for all possible inputs. We provide a formal definition of a vulnerability signature and investigate the computational complexity of creating and matching vulnerability signatures. We also systematically explore the design space of vulnerability signatures. We identify three central issues in vulnerability-signature creation: how a vulnerability signature represents the set of inputs that may exercise a vulnerability, the vulnerability coverage (i.e., number of vulnerable program paths) that is subject to our analysis during signature creation, and how a vulnerability signature is then created for a given representation and coverage. We propose new data-flow analysis and novel adoption of existing techniques such as constraint solving for automatically generating vulnerability signatures. We have built a prototype system to test our techniques. Our experiments show that we can automatically generate a vulnerability signature using a single exploit which is of much higher quality than previous exploit-based signatures. In addition, our techniques have several other security applications, and thus may be of independent interest.
this paper, on the other hand, an activealert verification mechanism is proposed. We query the potential victim in responseto the sign of an attack to get the current configuration of the victim that either supports orrefutes the hypothesis that a successful intrusion has occurred
Web servers are ubiquitous, remotely accessible, and often misconfigured. In addition, custom Web-based applications may introduce vulnerabilities that are overlooked even by the most security-conscious server administrators. Consequently, Web servers are a popular target for hackers. To mitigate the security exposure associated with Web servers, intrusion detection systems are deployed to analyze and screen incoming requests. The goal is to perform early detection of malicious activity and possibly prevent more serious damage to the protected site. Even though intrusion detection is critical for the security of Web servers, the intrusion detection systems available today only perform very simple analyses and are often vulnerable to simple evasion techniques. In addition, most systems do not provide sophisticated attack languages that allow a system administrator to specify custom, complex attack scenarios to be detected. We present WebSTAT, an intrusion detection system that analyzes Web requests looking for evidence of malicious behavior. The system is novel in several ways. First of all, it provides a sophisticated language to describe multistep attacks in terms of states and transitions. In addition, the modular nature of the system supports the integrated analysis of network traffic sent to the server host, operating system-level audit data produced by the server host, and the access logs produced by the Web server. By correlating different streams of events, it is possible to achieve more effective detection of Web-based attacks.
This paper presents the work we have done within the MIRADOR project to design CRIM, a cooperative module for intrusion detection systems (IDS). This module implements functions to manage, cluster, merge and correlate alerts. The clustering and merging functions recognize alerts that correspond to the same occurrence of an attack and create a new alert that merge data contained in these various alerts. Experiments show that these functions significantly reduce the number of alerts. However, we also observe that alerts we obtain are still too elementary to be managed by a security administrator. The purpose of the correlation function is thus to generate global and synthetic alerts. This paper focuses on the approach we suggest to design this function.
Sockets, Shellcode, Porting, and Coding: Reverse Engineering Exploits and Tool Coding for Security Professionals
Jan 2005
foster
J. Foster, "Sockets, Shellcode, Porting, and Coding: Reverse Engineering
Exploits and Tool Coding for Security Professionals," Elsevier Science,
2005.