Accurate and efficient exploit capture and classification

Abstract

Software exploits, especially zero-day exploits, are major security threats. Every day, security experts discover and collect numerous exploits from honeypots, malware forensics, and underground channels. However, no easy methods exist to classify these exploits into meaningful categories and to accelerate diagnosis as well as detailed analysis. To address this need, we present SeismoMeter, which recognizes both control-flowhijacking, and data-only attacks by combining approximate control-flow integrity, fast dynamic taint analysis and API sandboxing schemes. Once it detects an exploit incident, SeismoMeter generates a succinct data representation, called an exploit skeleton, to characterize the captured exploit. SeismoMeter then classifies the captured exploits into different exploit families by performing distance computing on the extracted skeletons. To evaluate the efficiency of SeismoMeter, we conduct a field test using exploit samples from public exploit databases, such as Metasploit, as well as wild-captured exploits. Our experiments demonstrate that SeismoMeter is a practical system that successfully detects and correctly classifies all these exploit attacks. Exploit(特别是0day Exploit)已经成为计算机安全最严重的威胁之一。当下,安全研究人员每天都在面对从蜜罐系统、取证系统以及地下市场中搜集来的大量的Exploit。然而缺乏一个快速有效的方法来分析这些搜集来的Exploit。我们实现了SeismoMeter,能够识别劫持控制流的Exploit攻击。同时我们结合了污点分析以及API沙盒来进一步提升攻击识别准确率。在检测到Exploit攻击时,SeismoMeter根据攻击对捕获到的Exploit 建立Exploit Skeleton。 然后根据这些建立起来的Exploit Skeleton对Exploit 进行分类。我们使用通用的渗透测试平台Metasploit等对SeismoMeter进行了测试,同时我们还用野外捕获的Exploit进行测试。实验结果证明SeismoMeter能够快速并且正确的检测Exploit攻击同时分类Exploit。

DOI: 10.1007/s11432-016-5521-0

8 Figures and Tables

Cite this paper

@article{Ding2016AccurateAE, title={Accurate and efficient exploit capture and classification}, author={Yu Ding and Tao Wei and Hui Xue and Yulong Zhang and Chao Zhang and Xinhui Han}, journal={Science China Information Sciences}, year={2016}, volume={60}, pages={1-17} }