The Experts below are selected from a list of 20778 Experts worldwide ranked by ideXlab platform
Tzi-cker Chiueh - One of the best experts on this subject based on the ideXlab platform.
-
ACSAC - Execution Trace-Driven Automated Attack Signature Generation
2008 Annual Computer Security Applications Conference (ACSAC), 2008Co-Authors: Susanta Nanda, Tzi-cker ChiuehAbstract:In its most general form, an attack Signature is a program that can correctly determine if an input network packet sequence can successfully attack a protected network application. Filter rules used in firewall and network intrusion prevention systems (NIPS) are an abstract form of attack Signature. This paper presents the design, implementation, and evaluation of an automated attack Signature Generation system called Trag, that automatically generates an executable attack Signature program from a victim programpsilas source and a given attack input. Trag leverages dynamic data and control dependencies to extract relevant code in the victim program, accurately identifies variable initialization statements that are not executed in the given attack, is able to generate attack Signatures for multi-process network applications, and reduces the size of attack Signatures by exploiting responses from victim programs. Experiments with a fully working Trag prototype show that Tragpsilas Signatures can indeed prevent attacks against multiple production-grade vulnerable server/Web applications, such as apache, wu-ftpd and MyBullentinBoard, with up to 65% reduction in size when compared with the victim program. In terms of performance overhead, the additional latency as observed from the client-side is no more than 25 usec for multi-process Web applications, while the overall throughput remains unaffected.
-
Execution Trace-Driven Automated Attack Signature Generation
2008 Annual Computer Security Applications Conference (ACSAC), 2008Co-Authors: Susanta Nanda, Tzi-cker ChiuehAbstract:In its most general form, an attack Signature is a program that can correctly determine if an input network packet sequence can successfully attack a protected network application. Filter rules used in firewall and network intrusion prevention systems (NIPS) are an abstract form of attack Signature. This paper presents the design, implementation, and evaluation of an automated attack Signature Generation system called Trag, that automatically generates an executable attack Signature program from a victim programpsilas source and a given attack input. Trag leverages dynamic data and control dependencies to extract relevant code in the victim program, accurately identifies variable initialization statements that are not executed in the given attack, is able to generate attack Signatures for multi-process network applications, and reduces the size of attack Signatures by exploiting responses from victim programs. Experiments with a fully working Trag prototype show that Tragpsilas Signatures can indeed prevent attacks against multiple production-grade vulnerable server/Web applications, such as apache, wu-ftpd and MyBullentinBoard, with up to 65% reduction in size when compared with the victim program. In terms of performance overhead, the additional latency as observed from the client-side is no more than 25 usec for multi-process Web applications, while the overall throughput remains unaffected.
B Chavez - One of the best experts on this subject based on the ideXlab platform.
-
hamsa fast Signature Generation for zero day polymorphic worms with provable attack resilience
IEEE Symposium on Security and Privacy, 2006Co-Authors: Zhichun Li, Manan Sanghi, Yan Chen, Mingyang Kao, B ChavezAbstract:Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate Signatures in the early stages of infection. Most existing approaches for automatic Signature Generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated Signature Generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the Signature Generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph (J. Newsome et al., 2005) in terms of efficiency, accuracy, and attack resilience.
-
IEEE Symposium on Security and Privacy - Hamsa: fast Signature Generation for zero-day polymorphic worms with provable attack resilience
2006 IEEE Symposium on Security and Privacy (S&P'06), 2006Co-Authors: Manan Sanghi, Yan Chen, Mingyang Kao, B ChavezAbstract:Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate Signatures in the early stages of infection. Most existing approaches for automatic Signature Generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated Signature Generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the Signature Generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph (J. Newsome et al., 2005) in terms of efficiency, accuracy, and attack resilience.
Susanta Nanda - One of the best experts on this subject based on the ideXlab platform.
-
ACSAC - Execution Trace-Driven Automated Attack Signature Generation
2008 Annual Computer Security Applications Conference (ACSAC), 2008Co-Authors: Susanta Nanda, Tzi-cker ChiuehAbstract:In its most general form, an attack Signature is a program that can correctly determine if an input network packet sequence can successfully attack a protected network application. Filter rules used in firewall and network intrusion prevention systems (NIPS) are an abstract form of attack Signature. This paper presents the design, implementation, and evaluation of an automated attack Signature Generation system called Trag, that automatically generates an executable attack Signature program from a victim programpsilas source and a given attack input. Trag leverages dynamic data and control dependencies to extract relevant code in the victim program, accurately identifies variable initialization statements that are not executed in the given attack, is able to generate attack Signatures for multi-process network applications, and reduces the size of attack Signatures by exploiting responses from victim programs. Experiments with a fully working Trag prototype show that Tragpsilas Signatures can indeed prevent attacks against multiple production-grade vulnerable server/Web applications, such as apache, wu-ftpd and MyBullentinBoard, with up to 65% reduction in size when compared with the victim program. In terms of performance overhead, the additional latency as observed from the client-side is no more than 25 usec for multi-process Web applications, while the overall throughput remains unaffected.
-
Execution Trace-Driven Automated Attack Signature Generation
2008 Annual Computer Security Applications Conference (ACSAC), 2008Co-Authors: Susanta Nanda, Tzi-cker ChiuehAbstract:In its most general form, an attack Signature is a program that can correctly determine if an input network packet sequence can successfully attack a protected network application. Filter rules used in firewall and network intrusion prevention systems (NIPS) are an abstract form of attack Signature. This paper presents the design, implementation, and evaluation of an automated attack Signature Generation system called Trag, that automatically generates an executable attack Signature program from a victim programpsilas source and a given attack input. Trag leverages dynamic data and control dependencies to extract relevant code in the victim program, accurately identifies variable initialization statements that are not executed in the given attack, is able to generate attack Signatures for multi-process network applications, and reduces the size of attack Signatures by exploiting responses from victim programs. Experiments with a fully working Trag prototype show that Tragpsilas Signatures can indeed prevent attacks against multiple production-grade vulnerable server/Web applications, such as apache, wu-ftpd and MyBullentinBoard, with up to 65% reduction in size when compared with the victim program. In terms of performance overhead, the additional latency as observed from the client-side is no more than 25 usec for multi-process Web applications, while the overall throughput remains unaffected.
Manan Sanghi - One of the best experts on this subject based on the ideXlab platform.
-
hamsa fast Signature Generation for zero day polymorphic worms with provable attack resilience
IEEE Symposium on Security and Privacy, 2006Co-Authors: Zhichun Li, Manan Sanghi, Yan Chen, Mingyang Kao, B ChavezAbstract:Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate Signatures in the early stages of infection. Most existing approaches for automatic Signature Generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated Signature Generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the Signature Generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph (J. Newsome et al., 2005) in terms of efficiency, accuracy, and attack resilience.
-
IEEE Symposium on Security and Privacy - Hamsa: fast Signature Generation for zero-day polymorphic worms with provable attack resilience
2006 IEEE Symposium on Security and Privacy (S&P'06), 2006Co-Authors: Manan Sanghi, Yan Chen, Mingyang Kao, B ChavezAbstract:Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate Signatures in the early stages of infection. Most existing approaches for automatic Signature Generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated Signature Generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the Signature Generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph (J. Newsome et al., 2005) in terms of efficiency, accuracy, and attack resilience.
James Wonki Hong - One of the best experts on this subject based on the ideXlab platform.
-
towards automated application Signature Generation for traffic identification
Network Operations and Management Symposium, 2008Co-Authors: Byungchul Park, Young J Won, Myungsup Kim, James Wonki HongAbstract:Traditionally, Internet applications have been identified by using predefined well-known ports with questionable accuracy. An alternative approach, application-layer Signature mapping, involves the exhaustive search of reliable Signatures but with more promising accuracy. With a prior protocol knowledge, the Signature Generation can guarantee a high accuracy. As more applications use proprietary protocols, it becomes increasingly difficult to obtain an accurate Signature while avoiding time-consuming and manual Signature Generation process. This paper proposes an automated approach for generating application-level Signature, the LASER algorithm, that does not need to be preceded by an analysis of application protocols. We show that our approach is as accurate and efficient as the approach that uses preceding application protocol analysis.
-
NOMS - Towards automated application Signature Generation for traffic identification
NOMS 2008 - 2008 IEEE Network Operations and Management Symposium, 2008Co-Authors: Byungchul Park, Young J Won, Myungsup Kim, James Wonki HongAbstract:Traditionally, Internet applications have been identified by using predefined well-known ports with questionable accuracy. An alternative approach, application-layer Signature mapping, involves the exhaustive search of reliable Signatures but with more promising accuracy. With a prior protocol knowledge, the Signature Generation can guarantee a high accuracy. As more applications use proprietary protocols, it becomes increasingly difficult to obtain an accurate Signature while avoiding time-consuming and manual Signature Generation process. This paper proposes an automated approach for generating application-level Signature, the LASER algorithm, that does not need to be preceded by an analysis of application protocols. We show that our approach is as accurate and efficient as the approach that uses preceding application protocol analysis.
