This paper proposes a methodology to develop countermeasures against code injection attacks, and validates the methodology by working out a specific countermeasure. This methodology is based on modeling the execution environment of a program. Such a model is then used to build countermeasures. The paper justifies the need for a more structured approach to protect programs against code injection attacks: we examine advanced techniques for injecting code into C and C++ programs and we discuss state-of-the-art (often ad hoc) approaches that typically protect singular memory locations. We validate our methodology by building countermeasures that prevent attacks by protecting a broad variety of memory locations that may be used by attackers to perform code injections. The paper evaluates our approach and discusses ongoing and future work.
{"title":"A methodology for designing countermeasures against current and future code injection attacks","authors":"Yves Younan, W. Joosen, F. Piessens","doi":"10.1109/IWIA.2005.2","DOIUrl":"https://doi.org/10.1109/IWIA.2005.2","url":null,"abstract":"This paper proposes a methodology to develop countermeasures against code injection attacks, and validates the methodology by working out a specific countermeasure. This methodology is based on modeling the execution environment of a program. Such a model is then used to build countermeasures. The paper justifies the need for a more structured approach to protect programs against code injection attacks: we examine advanced techniques for injecting code into C and C++ programs and we discuss state-of-the-art (often ad hoc) approaches that typically protect singular memory locations. We validate our methodology by building countermeasures that prevent attacks by protecting a broad variety of memory locations that may be used by attackers to perform code injections. The paper evaluates our approach and discusses ongoing and future work.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"7 4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123613380","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
J. Tölle, M. Jahnke, Michael Bussmann, Sven Henkel
This paper presents an anomaly detection approach for application in Meta IDS environments, where locally generated event messages from several domains are centrally processed. The basic approach has been successfully used for detection of abnormal traffic structures in computer networks. It creates directed graphs from address specifications contained within event messages and generates clusterings of the graphs. Large differences between subsequent clusterings indicate anomalies. This anomaly detection approach is part of an intrusion warning system (IWS) for dynamic coalition environments. It is designed to indicate suspicious actions and tendencies and to provide decision support on how to react on anomalies. Real-world data, mixed with data from a simulated Internet worm, is used to analyze the system. The results prove the applicability of our approach.
{"title":"Meta IDS environments: an event message anomaly detection approach","authors":"J. Tölle, M. Jahnke, Michael Bussmann, Sven Henkel","doi":"10.1109/IWIA.2005.13","DOIUrl":"https://doi.org/10.1109/IWIA.2005.13","url":null,"abstract":"This paper presents an anomaly detection approach for application in Meta IDS environments, where locally generated event messages from several domains are centrally processed. The basic approach has been successfully used for detection of abnormal traffic structures in computer networks. It creates directed graphs from address specifications contained within event messages and generates clusterings of the graphs. Large differences between subsequent clusterings indicate anomalies. This anomaly detection approach is part of an intrusion warning system (IWS) for dynamic coalition environments. It is designed to indicate suspicious actions and tendencies and to provide decision support on how to react on anomalies. Real-world data, mixed with data from a simulated Internet worm, is used to analyze the system. The results prove the applicability of our approach.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114622263","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Stellar is a real-time system which aggregates and correlates alerts from heterogeneous network defense systems, building scenarios and estimating the security risk of the entire scenario. Prior work considered Stellar scenario formation; in this paper we explore the advantages provided by using scenario context to assess the risk of actions occurring on a network. We describe the design and an evaluation of Stellar and its Security Assessment Declarative Language (SADL), a fast, stateful, simple-to-use language for assessing the priority of scenarios, on a high traffic network under constant attack. The evaluation of the Stellar system deployed on a large, operational enterprise network demonstrated its ability to scale to high alert volumes while accurately forming and prioritizing scenarios. Stellar not only produced high priority scenarios matching all incidents reported by human analysts, but also discovered additional scenarios of concern that had initially gone unnoticed. Furthermore, by following the simple formalism embedded in example SADL rules, system administrators quickly develop a correct understanding of the network they are protecting.
{"title":"Stellar: a fusion system for scenario construction and security risk assessment","authors":"Stephen W. Boyer, Oliver Dain, R. Cunningham","doi":"10.1109/IWIA.2005.16","DOIUrl":"https://doi.org/10.1109/IWIA.2005.16","url":null,"abstract":"Stellar is a real-time system which aggregates and correlates alerts from heterogeneous network defense systems, building scenarios and estimating the security risk of the entire scenario. Prior work considered Stellar scenario formation; in this paper we explore the advantages provided by using scenario context to assess the risk of actions occurring on a network. We describe the design and an evaluation of Stellar and its Security Assessment Declarative Language (SADL), a fast, stateful, simple-to-use language for assessing the priority of scenarios, on a high traffic network under constant attack. The evaluation of the Stellar system deployed on a large, operational enterprise network demonstrated its ability to scale to high alert volumes while accurately forming and prioritizing scenarios. Stellar not only produced high priority scenarios matching all incidents reported by human analysts, but also discovered additional scenarios of concern that had initially gone unnoticed. Furthermore, by following the simple formalism embedded in example SADL rules, system administrators quickly develop a correct understanding of the network they are protecting.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"660 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129431332","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Recent incidents in the cyber world strongly suggest that coordinated multistage cyber attacks are quite feasible and that effective countermeasures need to be developed. Attack detection by correlation and fusion of intrusion alerts has been an active area of current research. However, most of these research efforts focus on ex post facto analysis of alert data to uncover related attacks. In this paper, we present an approach for dynamically calculating 'scenario credibilities' based on the state of a live intrusion alert stream. We also develop a framework for attack scenario representation that facilitates real-time fusion of intrusion alerts and calculation of the scenario credibility values. Our approach provides a usable mechanism for detecting, predicting and reasoning about multistage goal-oriented attacks in real time. The details of the fusion framework and a description of multistage attack detection using this framework are presented in this paper.
{"title":"An alert fusion framework for situation awareness of coordinated multistage attacks","authors":"S. Mathew, Chintan Shah, S. Upadhyaya","doi":"10.1109/IWIA.2005.3","DOIUrl":"https://doi.org/10.1109/IWIA.2005.3","url":null,"abstract":"Recent incidents in the cyber world strongly suggest that coordinated multistage cyber attacks are quite feasible and that effective countermeasures need to be developed. Attack detection by correlation and fusion of intrusion alerts has been an active area of current research. However, most of these research efforts focus on ex post facto analysis of alert data to uncover related attacks. In this paper, we present an approach for dynamically calculating 'scenario credibilities' based on the state of a live intrusion alert stream. We also develop a framework for attack scenario representation that facilitates real-time fusion of intrusion alerts and calculation of the scenario credibility values. Our approach provides a usable mechanism for detecting, predicting and reasoning about multistage goal-oriented attacks in real time. The details of the fusion framework and a description of multistage attack detection using this framework are presented in this paper.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126985937","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A system for enforcing messaging security policies for both store and forward and streaming messaging protocols on COTS operating system platforms is described. Messaging protocols are subjected to interception, transformation, and filtering based on dynamically configurable security policies. Transformations include the automatic policy-based application of cryptographic confidentiality, integrity, and authenticity mechanisms and filtering primarily based on Bayesian analysis. The system provides a low cost, fine granularity compartmentalization mechanism for secure environments as well as for sensitive but unclassified environments using COTS operating systems and application programs without affecting user or application behavior in which the mediation of access to key material and messaging provides protection against malware and insider attacks.
{"title":"Enforcing messaging security policies","authors":"Jaromir Likavec, S. Wolthusen","doi":"10.1109/IWIA.2005.7","DOIUrl":"https://doi.org/10.1109/IWIA.2005.7","url":null,"abstract":"A system for enforcing messaging security policies for both store and forward and streaming messaging protocols on COTS operating system platforms is described. Messaging protocols are subjected to interception, transformation, and filtering based on dynamically configurable security policies. Transformations include the automatic policy-based application of cryptographic confidentiality, integrity, and authenticity mechanisms and filtering primarily based on Bayesian analysis. The system provides a low cost, fine granularity compartmentalization mechanism for secure environments as well as for sensitive but unclassified environments using COTS operating systems and application programs without affecting user or application behavior in which the mediation of access to key material and messaging provides protection against malware and insider attacks.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"47 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124958737","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Previous quantitative models of security or survivability have been defined on a range of probable intruder behavior. This measures survivability as a statistic such as mean time to breach. This kind of purely stochastic quantification is not suitable for high-consequence systems. For high-consequence systems the quantified survivability should be based on the most competent intruders the system is likely to face. We show how to accomplish this with a contingency analysis based on variations in intruder attack-potential. The quantitative results are then organized and presented according to intruder attack potential. Examples of the technique are presented using stochastic process algebra. An interesting result for diverse replication is included in the examples.
{"title":"Attack-potential-based survivability modeling for high-consequence systems","authors":"John McDermott","doi":"10.1109/IWIA.2005.4","DOIUrl":"https://doi.org/10.1109/IWIA.2005.4","url":null,"abstract":"Previous quantitative models of security or survivability have been defined on a range of probable intruder behavior. This measures survivability as a statistic such as mean time to breach. This kind of purely stochastic quantification is not suitable for high-consequence systems. For high-consequence systems the quantified survivability should be based on the most competent intruders the system is likely to face. We show how to accomplish this with a contingency analysis based on variations in intruder attack-potential. The quantitative results are then organized and presented according to intruder attack potential. Examples of the technique are presented using stochastic process algebra. An interesting result for diverse replication is included in the examples.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115824315","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
D. Sterne, P. Balasubramanyam, D. Carman, B. Wilson, R. Talpade, C. Ko, R. Balupari, Chin-Yang Tseng, T. Bowen, K. Levitt, J. Rowe
Intrusion detection in MANETs is challenging because these networks change their topologies dynamically; lack concentration points where aggregated traffic can be analyzed; utilize infrastructure protocols that are susceptible to manipulation; and rely on noisy, intermittent wireless communications. We present a cooperative, distributed intrusion detection architecture that addresses these challenges while facilitating accurate detection of MANET-specific and conventional attacks. The architecture is organized as a dynamic hierarchy in which detection data is acquired at the leaves and is incrementally aggregated, reduced, and analyzed as it flows upward toward the root. Security management directives flow downward from nodes at the top. To maintain communications efficiency, the hierarchy is automatically reconfigured as needed using clustering techniques in which clusterheads are selected based on topology and other criteria. The utility of the architecture is illustrated via multiple attack scenarios.
{"title":"A general cooperative intrusion detection architecture for MANETs","authors":"D. Sterne, P. Balasubramanyam, D. Carman, B. Wilson, R. Talpade, C. Ko, R. Balupari, Chin-Yang Tseng, T. Bowen, K. Levitt, J. Rowe","doi":"10.1109/IWIA.2005.1","DOIUrl":"https://doi.org/10.1109/IWIA.2005.1","url":null,"abstract":"Intrusion detection in MANETs is challenging because these networks change their topologies dynamically; lack concentration points where aggregated traffic can be analyzed; utilize infrastructure protocols that are susceptible to manipulation; and rely on noisy, intermittent wireless communications. We present a cooperative, distributed intrusion detection architecture that addresses these challenges while facilitating accurate detection of MANET-specific and conventional attacks. The architecture is organized as a dynamic hierarchy in which detection data is acquired at the leaves and is incrementally aggregated, reduced, and analyzed as it flows upward toward the root. Security management directives flow downward from nodes at the top. To maintain communications efficiency, the hierarchy is automatically reconfigured as needed using clustering techniques in which clusterheads are selected based on topology and other criteria. The utility of the architecture is illustrated via multiple attack scenarios.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125082905","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Internet worm attacks have become increasingly more frequent and have had a major impact on the economy, making the detection and prevention of these attacks a top security concern. Several counter-measures have been proposed and evaluated in recent literature. However, the effect of these proposed defensive mechanisms on legitimate competing traffic has not been analyzed. Clearly a defensive approach that slows down or stops worm propagation at the expense of completely restricting any legitimate traffic is of little value. Here we perform a comparative analysis of the effectiveness of several of these proposed mechanisms, including a measure of their effect on normal Web browsing activities. In addition, we introduce a new defensive approach that can easily be implemented on existing hosts, and which significantly reduces the rate of spread of worms using TCP connections to perform the infiltration. Our approach has no measurable effect on legitimate traffic.
{"title":"Evaluation of worm containment algorithms and their effect on legitimate traffic","authors":"M. Abdelhafez, G. Riley","doi":"10.1109/IWIA.2005.8","DOIUrl":"https://doi.org/10.1109/IWIA.2005.8","url":null,"abstract":"Internet worm attacks have become increasingly more frequent and have had a major impact on the economy, making the detection and prevention of these attacks a top security concern. Several counter-measures have been proposed and evaluated in recent literature. However, the effect of these proposed defensive mechanisms on legitimate competing traffic has not been analyzed. Clearly a defensive approach that slows down or stops worm propagation at the expense of completely restricting any legitimate traffic is of little value. Here we perform a comparative analysis of the effectiveness of several of these proposed mechanisms, including a measure of their effect on normal Web browsing activities. In addition, we introduce a new defensive approach that can easily be implemented on existing hosts, and which significantly reduces the rate of spread of worms using TCP connections to perform the infiltration. Our approach has no measurable effect on legitimate traffic.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"55 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115924244","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper describes survivability schemes against access point (AP) failures in wireless LANs. It particularly aims for resiliency and survivability against multistage attacks where the adversary is successful in compromising the AP, and then targets the survived but more vulnerable network. This is true in real life where the adversary knows that survivability is a design consideration built into the network. It then performs a multistage targeted attack that is aimed at compromising the survived network that may have vulnerabilities. We first present a unique infrastructure for an ad-hoc migration scheme (IAMS) where the nodes under a failed AP form an ad-hoc network and reconnect to the network using available neighboring APs. We then present a scheme for isolating and removing any malicious nodes from the ad-hoc network routes in a transparent manner once the malicious nodes have been identified. This will minimize the chances of further attacks in the survived network, and the removal is done in a distributed fashion without the nodes exchanging any information between them. We report the results of our simulations performed using the network simulation tool GloMoSim.
{"title":"SAWAN: a survivable architecture for wireless LANs","authors":"M. Virendra, S. Upadhyaya, Vivek Kumar, V. Anand","doi":"10.1109/IWIA.2005.15","DOIUrl":"https://doi.org/10.1109/IWIA.2005.15","url":null,"abstract":"This paper describes survivability schemes against access point (AP) failures in wireless LANs. It particularly aims for resiliency and survivability against multistage attacks where the adversary is successful in compromising the AP, and then targets the survived but more vulnerable network. This is true in real life where the adversary knows that survivability is a design consideration built into the network. It then performs a multistage targeted attack that is aimed at compromising the survived network that may have vulnerabilities. We first present a unique infrastructure for an ad-hoc migration scheme (IAMS) where the nodes under a failed AP form an ad-hoc network and reconnect to the network using available neighboring APs. We then present a scheme for isolating and removing any malicious nodes from the ad-hoc network routes in a transparent manner once the malicious nodes have been identified. This will minimize the chances of further attacks in the survived network, and the removal is done in a distributed fashion without the nodes exchanging any information between them. We report the results of our simulations performed using the network simulation tool GloMoSim.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128504611","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Malware defenses have primarily relied upon intrusion fingerprints to detect suspicious network behavior. While effective for discovering computers that are already compromised, these systems are not designed to stop the spread or damage of malware. Standard gateway firewalls can prevent outside-based attacks; however, they are ineffective in a mobile network where threats originate from inside and administrators have limited control over client machines. This paper introduces a new strategy for malware defense using security authentication which focuses on vulnerabilities rather than exploits. The proposed system uses a remote security scanner to check for vulnerabilities and quarantines machines using logical network segmentation. This maximizes the usefulness of the machine in question while preventing attacks. Furthermore given the unique ability to quarantine machines without any specialized host software, the proposed system can defend against internal malware threats in a mobile network. Positive results have been achieved utilizing a proof-of-concept model and standard networking tools.
{"title":"Malware defense using network security authentication","authors":"Joseph V. Antrosio, E. Fulp","doi":"10.1109/IWIA.2005.11","DOIUrl":"https://doi.org/10.1109/IWIA.2005.11","url":null,"abstract":"Malware defenses have primarily relied upon intrusion fingerprints to detect suspicious network behavior. While effective for discovering computers that are already compromised, these systems are not designed to stop the spread or damage of malware. Standard gateway firewalls can prevent outside-based attacks; however, they are ineffective in a mobile network where threats originate from inside and administrators have limited control over client machines. This paper introduces a new strategy for malware defense using security authentication which focuses on vulnerabilities rather than exploits. The proposed system uses a remote security scanner to check for vulnerabilities and quarantines machines using logical network segmentation. This maximizes the usefulness of the machine in question while preventing attacks. Furthermore given the unique ability to quarantine machines without any specialized host software, the proposed system can defend against internal malware threats in a mobile network. Positive results have been achieved utilizing a proof-of-concept model and standard networking tools.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129358478","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: