Behavioral Signature Generation using Shadow Honeypot

A novel behavioral detection framework is proposed to detect zero day buffer overflow vulnerabilities (based on network behavioral signatures) using zero-day exploits, instead of the signature-based or anomaly-based detection solutions currently available for IDPS techniques. At first we present the detection model that uses shadow honeypot. Our system is used for the online processing of network attacks and generating a behavior detection profile. The detection profile represents the dataset of 112 types of metrics describing the exact behavior of malware in the network. In this paper we present the examples of generating behavioral signatures for two attacks – a buffer overflow exploit on FTP server and well known Conficker worm. We demonstrated the visualization of important aspects by showing the differences between valid behavior and the attacks. Based on these metrics we can detect attacks with a very high probability of success, the process of detection is however very expensive.

Authors:

• Maros Barabas
• Michal Drozd
• Petr Hanacek

Keywords:

• behavioral signatures
• metrics
• network
• security design

References:

[1] Garcia-Teodoro, P., Díaz-Verdejo, J. E., MaciáFernández, G., Vázquez,
E., Anomaly-based network intrusion detection: Techniques, systems
and challenges", p. 18-28, 2009.
[2] C. Cowan, P. Wagle, C. Pu, S. Beattie, J. Walpole, BufferOverflows:
Attacks and Defenses for the Vulnerability of the Decade, Oasis, p.227,
Foundations of Intrusion Tolerant Systems (OASIS'03)2003.
[3] Ke Wang, Salvatore J. Stolfo, Anomalous Payload-Based Network
Intrusion Detection", 2004.
[4] L. Ertoz, E. Eilertson, A. Lazarevic, P.-Ning Tan, P. Dokas, V. Kumar,
J. Srivastava, Detection and Summarization of Novel Network Attacks
Using Data Mining", 2004.
[5] "NetFlow", Cisco Systems, Inc, 2011, URL: www.cisco.com/
go/netflow.
[6] W. Lee and S. Stolfo, "A Framework for Constructing Features and
Models for Intrusion Detection Systems", ACM Transactions on
Information and System Security, 3(4), November 2000.
[7] M. Mahoney, P. K. Chan, "An Analysis of the 1999 DARPA/Lincoln
Laboratory Evaluation Data for Network Anomaly Detection", RAID
2003, 220-237.
[8] P. Porras and P. Neumann, "EMERALD: Event Monitoring Enabled
Responses to Anomalous Live Disturbances", National Information
Systems Security Conference, 1997.
[9] G. Vigna and R. Kemmerer, "NetSTAT: A Network-based intrusion
detection approach", Computer Security Application Conference, 1998.
[10] M. Mahoney, P. K. Chan, "Learning Nonstationary Models of Normal
Network Traffic for Detecting Novel Attacks", Proc. SIGKDD 2002,
376-385.
[11] G. Portokalidis, A. Slowinska, H. Bos, "Argos: an Emulator for
Fingerprinting Zero-Day Attacks", in Proc. ACM
SIGOPSEUROSYS'2006, 2006.
[12] J. Berg, E. Teran, S. Stover, "Investigating Argos", an Article in
USENIX Magazine: ;login, 2008.
[13] KDD Cup 1999, October 2007, URL: http://kdd.ics.uci.edu/
databases/kddcup99/kddcup99.html.
[14] Stack-based buffer overflow in CesarFTP 0.99g, , URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2961.
[15] Server Service Vulnerability, URL: http://cve.mitre.org/cgi-bin/
cvename.cgi?name=2008-4250.