Masaki Kobayashi, Yo Kanemoto, Daisuke Kotani, Yasuo Okabe
{"title":"Generation of IDS Signatures through Exhaustive Execution Path Exploration in PoC Codes for Vulnerabilities","authors":"Masaki Kobayashi, Yo Kanemoto, Daisuke Kotani, Yasuo Okabe","doi":"10.2197/ipsjjip.31.591","DOIUrl":null,"url":null,"abstract":"There have been many vulnerabilities, and we need prompt countermeasures. One factor that makes more rapid measures necessary is Proof of Concept (PoC) codes. Although they are released to promote vulnerability countermeasures, attackers can also abuse them. In this paper, we analyze PoC codes that send HTTP requests, then generate IDS signatures. To analyze codes, there are two policies: dynamic analysis and static analysis. However, the former cannot cover the execution paths, and the latter cannot analyze dynamically determined values. In addition, symbolic execution compensates for their shortcomings, but its implementation cost is high. We propose a signature generation method for PoC codes that send HTTP requests based on an analysis combining dynamic and static analysis. We first statically explore execution paths of the code by searching for the conditional branch syntax using the abstract syntax tree. Then, we rewrite the branch conditions to enforce the specific execution path and generate a new code corresponding to each path. Finally, we execute each code, generate the attack requests dynamically, and extract signatures. The average detection rate for the requests was 86.9%. Moreover, we tested the signatures for 30 codes by actually executing them, and for nine codes, we detected the attack.","PeriodicalId":16243,"journal":{"name":"Journal of Information Processing","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Processing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.2197/ipsjjip.31.591","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"Computer Science","Score":null,"Total":0}
引用次数: 0
Abstract
There have been many vulnerabilities, and we need prompt countermeasures. One factor that makes more rapid measures necessary is Proof of Concept (PoC) codes. Although they are released to promote vulnerability countermeasures, attackers can also abuse them. In this paper, we analyze PoC codes that send HTTP requests, then generate IDS signatures. To analyze codes, there are two policies: dynamic analysis and static analysis. However, the former cannot cover the execution paths, and the latter cannot analyze dynamically determined values. In addition, symbolic execution compensates for their shortcomings, but its implementation cost is high. We propose a signature generation method for PoC codes that send HTTP requests based on an analysis combining dynamic and static analysis. We first statically explore execution paths of the code by searching for the conditional branch syntax using the abstract syntax tree. Then, we rewrite the branch conditions to enforce the specific execution path and generate a new code corresponding to each path. Finally, we execute each code, generate the attack requests dynamically, and extract signatures. The average detection rate for the requests was 86.9%. Moreover, we tested the signatures for 30 codes by actually executing them, and for nine codes, we detected the attack.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
